Providing mobile device management functionalities for a managed browser

ABSTRACT

Methods, systems, computer-readable media, and apparatuses for providing mobile device management functionalities are presented. In various embodiments, a mobile device management agent may monitor state information associated with a mobile computing device. The monitored state information may be analyzed on the mobile computing device and/or by one or more policy management servers. In some instances, the one or more policy management servers may provide management information to the mobile computing device, and the management information may include one or more commands (which may, e.g., cause the mobile computing device to enforce one or more policies) and/or one or more policy updates. Subsequently, one or more policies may be enforced on the mobile computing device based on the monitored state information and/or based on the management information.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.14/025,898, filed Sep. 13, 2013, and entitled “PROVIDING MOBILE DEVICEMANAGEMENT FUNCTIONALITIES,” and which is incorporated by referenceherein in its entirety. In addition, this application claims the benefitof U.S. Provisional Patent Application Ser. No. 61/863,629, filed Aug.8, 2013, and entitled “PROVIDING MOBILE DEVICE MANAGEMENTFUNCTIONALITIES,” and which is incorporated by reference herein in itsentirety. This application also claims the benefit of U.S. ProvisionalPatent Application Ser. No. 61/806,557, filed Mar. 29, 2013, andentitled “SYSTEMS AND METHODS FOR ENTERPRISE MOBILITY MANAGEMENT,” andwhich is incorporated by reference herein in its entirety.

BACKGROUND

Aspects of the disclosure relate to computer hardware and software. Inparticular, one or more aspects of the disclosure generally relate tocomputer hardware and software for providing mobile device managementfunctionalities.

Increasingly, corporations and other organizations are providing and/orotherwise enabling their employees and other associates with mobiledevices, such as smart phones, tablet computers, and other mobilecomputing devices. As these devices continue to grow in popularity andprovide an increasing number of functions, many organizations may wishto place certain controls on how these devices can be used, whatresources these devices can access, and how the applications running onthese devices can interact with other resources.

SUMMARY

Various aspects of the disclosure provide more efficient, effective,functional, and convenient ways of controlling how mobile devices can beused, what resources mobile devices can access, and how the applicationsand other software running on these devices can interact with otherresources. In particular, in one or more embodiments discussed ingreater detail below, mobile device management functionalities aredeployed, implemented, and/or used in a number of different ways toprovide one or more of these and/or other advantages.

In some embodiments, a computing device may load a managed browser.Subsequently, the computing device may apply one or more mobile devicemanagement policies to the managed browser, and at least one policy ofthe one or more mobile device management policies may be configured tocontrol one or more functionalities of the computing device.

In some embodiments, a mobile device management agent may monitor stateinformation associated with a mobile computing device. Subsequently, themobile device management agent may apply one or more policies toapplication tunneling functionalities on the mobile computing devicebased on the monitored state information.

In some embodiments, a computing device may establish a connection to atleast one other device to initiate a device cloud. Subsequently, thecomputing device may apply one or more policies to the device cloud, andthe one or more policies may be configured to allocate a first role thecomputing device and a second role to the at least one other deviceparticipating in the device cloud.

In some embodiments, a mobile device management agent may monitor stateinformation associated with a mobile computing device. Subsequently, oneor more modes of a multi-mode application may be selectively disabledbased on the monitored state information.

In some embodiments, a mobile device management agent may monitor stateinformation associated with a mobile computing device. Subsequently, oneor more policies may be enforced on at least one application on themobile computing device based on the monitored state information.

In some embodiments, a mobile device management agent may monitor stateinformation associated with a mobile computing device. Subsequently, asecure document container may be controlled based on the monitored stateinformation.

In some embodiments, a mobile device management agent may monitor stateinformation associated with a mobile computing device. Subsequently, amobile device management policy enforcement scheme on the mobilecomputing device may be dynamically modified based on the monitoredstate information.

In some embodiments, a mobile computing device may receive at least onemobile device management policy from an application store. Subsequently,state information associated with the mobile computing device may bemonitored via a mobile device management agent. Then, the at least onemobile device management policy may be enforced based on the monitoredstate information.

In some embodiments, a mobile computing device may receive a singlesign-on (SSO) credential that is associated with at least one useraccount. Subsequently, state information associated with the mobilecomputing device may be monitored via a mobile device management agent.Then, at least one mobile device management policy may be enforced basedon the monitored state information and the SSO credential.

These features, along with many others, are discussed in greater detailbelow.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is illustrated by way of example and not limitedin the accompanying figures in which like reference numerals indicatesimilar elements and in which:

FIG. 1 depicts an illustrative computer system architecture that may beused in accordance with one or more illustrative aspects describedherein.

FIG. 2 depicts an illustrative remote-access system architecture thatmay be used in accordance with one or more illustrative aspectsdescribed herein.

FIG. 3 depicts an illustrative enterprise mobility management systemthat may be used in accordance with one or more illustrative aspectsdescribed herein.

FIG. 4 depicts another illustrative enterprise mobility managementsystem that may be used in accordance with one or more illustrativeaspects described herein.

FIG. 5 depicts a flowchart that illustrates a method of applying one ormore mobile device management policies to a managed browser inaccordance with one or more illustrative aspects discussed herein.

FIG. 6 depicts a flowchart that illustrates a method of applying one ormore mobile device management policies to application tunnelingfunctionalities in accordance with one or more illustrative aspectsdiscussed herein.

FIG. 7 depicts a flowchart that illustrates a method of applying one ormore mobile device management policies to a device cloud in accordancewith one or more illustrative aspects discussed herein.

FIG. 8 depicts a flowchart that illustrates a method of selectivelydisabling one or more modes of a multi-mode application based on one ormore mobile device management policies in accordance with one or moreillustrative aspects discussed herein.

FIG. 9 depicts a flowchart that illustrates a method of enforcing one ormore mobile device management policies on one or more applications inaccordance with one or more illustrative aspects discussed herein.

FIG. 10 depicts a flowchart that illustrates a method of controlling asecure document container based on device state information inaccordance with one or more illustrative aspects discussed herein.

FIG. 11 depicts a flowchart that illustrates a method of dynamicallymodifying a mobile device management policy enforcement scheme based ondevice state information in accordance with one or more illustrativeaspects discussed herein.

FIG. 12 depicts a flowchart that illustrates a method of enforcingmobile device management policies that are received from an applicationstore in accordance with one or more illustrative aspects discussedherein.

FIG. 13 depicts a flowchart that illustrates a method of enforcingmobile device management policies based on a single sign-on credentialin accordance with one or more illustrative aspects discussed herein.

FIG. 14 depicts a flowchart that illustrates another method of applyingone or more mobile device management policies to a device cloud inaccordance with one or more illustrative aspects discussed herein.

DETAILED DESCRIPTION

In the following description of the various embodiments, reference ismade to the accompanying drawings identified above, which form a parthereof, and in which is shown by way of illustration various embodimentsin which various aspects of the disclosure may be practiced. Otherembodiments may be utilized, and structural and functional modificationsmay be made, without departing from the scope discussed herein. Variousaspects are capable of other embodiments and of being practiced or beingcarried out in various different ways. In addition, the phraseology andterminology used herein are for the purpose of description and shouldnot be regarded as limiting. Rather, the phrases and terms used hereinare to be given their broadest interpretation and meaning. The use of“including” and “comprising” and variations thereof is meant toencompass the items listed thereafter and equivalents thereof as well asadditional items and equivalents thereof.

As noted above, certain embodiments are discussed herein that relate toproviding mobile device management functionalities. Before discussingthese concepts in greater detail, however, several examples of computingarchitecture and enterprise mobility management architecture that may beused in implementing and/or otherwise providing various aspects of thedisclosure will first be discussed with respect to FIGS. 1-4.

Computing Architecture

Computer software, hardware, and networks may be utilized in a varietyof different system environments, including standalone, networked,remote-access (aka, remote desktop), virtualized, and/or cloud-basedenvironments, among others. FIG. 1 illustrates one example of a systemarchitecture and data processing device that may be used to implementone or more illustrative aspects described herein in a standalone and/ornetworked environment. Various network nodes 103, 105, 107, and 109 maybe interconnected via a wide area network (WAN) 101, such as theInternet. Other networks may also or alternatively be used, includingprivate intranets, corporate networks, local area networks (LANs),metropolitan area networks (MAN), wireless networks, personal networks(PAN), and the like. Network 101 is for illustration purposes and may bereplaced with fewer or additional computer networks. A LAN may have oneor more of any known LAN topology and may use one or more of a varietyof different protocols, such as Ethernet. Devices 103, 105, 107, 109 andother devices (not shown) may be connected to one or more of thenetworks via twisted pair wires, coaxial cable, fiber optics, radiowaves or other communication media.

The term “network” as used herein and depicted in the drawings refersnot only to systems in which remote storage devices are coupled togethervia one or more communication paths, but also to stand-alone devicesthat may be coupled, from time to time, to such systems that havestorage capability. Consequently, the term “network” includes not only a“physical network” but also a “content network,” which is comprised ofthe data—attributable to a single entity—which resides across allphysical networks.

The components may include data server 103, web server 105, and clientcomputers 107, 109. Data server 103 provides overall access, control andadministration of databases and control software for performing one ormore illustrative aspects describe herein. Data server 103 may beconnected to web server 105 through which users interact with and obtaindata as requested. Alternatively, data server 103 may act as a webserver itself and be directly connected to the Internet. Data server 103may be connected to web server 105 through the network 101 (e.g., theInternet), via direct or indirect connection, or via some other network.Users may interact with the data server 103 using remote computers 107,109, e.g., using a web browser to connect to the data server 103 via oneor more externally exposed web sites hosted by web server 105. Clientcomputers 107, 109 may be used in concert with data server 103 to accessdata stored therein, or may be used for other purposes. For example,from client device 107 a user may access web server 105 using anInternet browser, as is known in the art, or by executing a softwareapplication that communicates with web server 105 and/or data server 103over a computer network (such as the Internet).

Servers and applications may be combined on the same physical machines,and retain separate virtual or logical addresses, or may reside onseparate physical machines. FIG. 1 illustrates just one example of anetwork architecture that may be used, and those of skill in the artwill appreciate that the specific network architecture and dataprocessing devices used may vary, and are secondary to the functionalitythat they provide, as further described herein. For example, servicesprovided by web server 105 and data server 103 may be combined on asingle server.

Each component 103, 105, 107, 109 may be any type of known computer,server, or data processing device. Data server 103, e.g., may include aprocessor 111 controlling overall operation of the rate server 103. Dataserver 103 may further include RAM 113, ROM 115, network interface 117,input/output interfaces 119 (e.g., keyboard, mouse, display, printer,etc.), and memory 121. I/O 119 may include a variety of interface unitsand drives for reading, writing, displaying, and/or printing data orfiles. Memory 121 may further store operating system software 123 forcontrolling overall operation of the data processing device 103, controllogic 125 for instructing data server 103 to perform aspects describedherein, and other application software 127 providing secondary, support,and/or other functionality which may or may not be used in conjunctionwith aspects described herein. The control logic may also be referred toherein as the data server software 125. Functionality of the data serversoftware may refer to operations or decisions made automatically basedon rules coded into the control logic, made manually by a user providinginput into the system, and/or a combination of automatic processingbased on user input (e.g., queries, data updates, etc.).

Memory 121 may also store data used in performance of one or moreaspects described herein, including a first database 129 and a seconddatabase 131. In some embodiments, the first database may include thesecond database (e.g., as a separate table, report, etc.). That is, theinformation can be stored in a single database, or separated intodifferent logical, virtual, or physical databases, depending on systemdesign. Devices 105, 107, 109 may have similar or different architectureas described with respect to device 103. Those of skill in the art willappreciate that the functionality of data processing device 103 (ordevice 105, 107, 109) as described herein may be spread across multipledata processing devices, for example, to distribute processing loadacross multiple computers, to segregate transactions based on geographiclocation, user access level, quality of service (QoS), etc.

One or more aspects may be embodied in computer-usable or readable dataand/or computer-executable instructions, such as in one or more programmodules, executed by one or more computers or other devices as describedherein. Generally, program modules include routines, programs, objects,components, data structures, etc. that perform particular tasks orimplement particular abstract data types when executed by a processor ina computer or other device. The modules may be written in a source codeprogramming language that is subsequently compiled for execution, or maybe written in a scripting language such as (but not limited to)Javascript or ActionScript. The computer executable instructions may bestored on a computer readable medium such as a nonvolatile storagedevice. Any suitable computer readable storage media may be utilized,including hard disks, CD-ROMs, optical storage devices, magnetic storagedevices, and/or any combination thereof. In addition, varioustransmission (non-storage) media representing data or events asdescribed herein may be transferred between a source and a destinationin the form of electromagnetic waves traveling through signal-conductingmedia such as metal wires, optical fibers, and/or wireless transmissionmedia (e.g., air and/or space). Various aspects described herein may beembodied as a method, a data processing system, or a computer programproduct. Therefore, various functionalities may be embodied in whole orin part in software, firmware and/or hardware or hardware equivalentssuch as integrated circuits, field programmable gate arrays (FPGA), andthe like. Particular data structures may be used to more effectivelyimplement one or more aspects described herein, and such data structuresare contemplated within the scope of computer executable instructionsand computer-usable data described herein.

With further reference to FIG. 2, one or more aspects described hereinmay be implemented in a remote-access environment. FIG. 2 depicts anexample system architecture including a generic computing device 201 inan illustrative computing environment 200 that may be used according toone or more illustrative aspects described herein. Generic computingdevice 201 may be used as a server 206 a in a single-server ormulti-server desktop virtualization system (e.g., a remote access orcloud system) configured to provide virtual machines for client accessdevices. The generic computing device 201 may have a processor 203 forcontrolling overall operation of the server and its associatedcomponents, including random access memory (RAM) 205, read-only memory(ROM) 207, input/output (I/O) module 209, and memory 215.

I/O module 209 may include a mouse, keypad, touch screen, scanner,optical reader, and/or stylus (or other input device(s)) through which auser of generic computing device 201 may provide input, and may alsoinclude one or more of a speaker for providing audio output and a videodisplay device for providing textual, audiovisual, and/or graphicaloutput. Software may be stored within memory 215 and/or other storage toprovide instructions to processor 203 for configuring generic computingdevice 201 into a special purpose computing device in order to performvarious functions as described herein. For example, memory 215 may storesoftware used by the computing device 201, such as an operating system217, application programs 219, and an associated database 221.

Computing device 201 may operate in a networked environment supportingconnections to one or more remote computers, such as terminals 240 (alsoreferred to as client devices). The terminals 240 may be personalcomputers, mobile devices, laptop computers, tablets, or servers thatinclude many or all of the elements described above with respect to thegeneric computing device 103 or 201. The network connections depicted inFIG. 2 include a local area network (LAN) 225 and a wide area network(WAN) 229, but may also include other networks. When used in a LANnetworking environment, computing device 201 may be connected to the LAN225 through a network interface or adapter 223. When used in a WANnetworking environment, computing device 201 may include a modem 227 orother wide area network interface for establishing communications overthe WAN 229, such as computer network 230 (e.g., the Internet). It willbe appreciated that the network connections shown are illustrative andother means of establishing a communications link between the computersmay be used. Computing device 201 and/or terminals 240 may also bemobile terminals (e.g., mobile phones, smartphones, PDAs, notebooks,etc.) including various other components, such as a battery, speaker,and antennas (not shown).

Aspects described herein may also be operational with numerous othergeneral purpose or special purpose computing system environments orconfigurations. Examples of other computing systems, environments,and/or configurations that may be suitable for use with aspectsdescribed herein include, but are not limited to, personal computers,server computers, hand-held or laptop devices, multiprocessor systems,microprocessor-based systems, set top boxes, programmable consumerelectronics, network PCs, minicomputers, mainframe computers,distributed computing environments that include any of the above systemsor devices, and the like.

As shown in FIG. 2, one or more client devices 240 may be incommunication with one or more servers 206 a-206 n (generally referredto herein as “server(s) 206”). In one embodiment, the computingenvironment 200 may include a network appliance installed between theserver(s) 206 and client machine(s) 240. The network appliance maymanage client/server connections, and in some cases can load balanceclient connections amongst a plurality of backend servers 206.

The client machine(s) 240 may in some embodiments be referred to as asingle client machine 240 or a single group of client machines 240,while server(s) 206 may be referred to as a single server 206 or asingle group of servers 206. In one embodiment a single client machine240 communicates with more than one server 206, while in anotherembodiment a single server 206 communicates with more than one clientmachine 240. In yet another embodiment, a single client machine 240communicates with a single server 206.

A client machine 240 can, in some embodiments, be referenced by any oneof the following non-exhaustive terms: client machine(s); client(s);client computer(s); client device(s); client computing device(s); localmachine; remote machine; client node(s); endpoint(s); or endpointnode(s). The server 206, in some embodiments, may be referenced by anyone of the following non-exhaustive terms: server(s), local machine;remote machine; server farm(s), or host computing device(s).

In one embodiment, the client machine 240 may be a virtual machine. Thevirtual machine may be any virtual machine, while in some embodimentsthe virtual machine may be any virtual machine managed by a Type 1 orType 2 hypervisor, for example, a hypervisor developed by CitrixSystems, IBM, VMware, or any other hypervisor. In some aspects, thevirtual machine may be managed by a hypervisor, while in aspects thevirtual machine may be managed by a hypervisor executing on a server 206or a hypervisor executing on a client 240.

Some embodiments include a client device 240 that displays applicationoutput generated by an application remotely executing on a server 206 orother remotely located machine. In these embodiments, the client device240 may execute a virtual machine client agent program or application todisplay the output in an application window, a browser, or other outputwindow. In one example, the application is a desktop, while in otherexamples the application is an application that generates or presents adesktop. A desktop may include a graphical shell providing a userinterface for an instance of an operating system in which local and/orremote applications can be integrated. Applications, as used herein, areprograms that execute after an instance of an operating system (and,optionally, also the desktop) has been loaded.

The server 206, in some embodiments, uses a remote presentation protocolor other program to send data to a thin-client or remote-displayapplication executing on the client to present display output generatedby an application executing on the server 206. The thin-client orremote-display protocol can be any one of the following non-exhaustivelist of protocols: the Independent Computing Architecture (ICA) protocoldeveloped by Citrix Systems, Inc. of Ft. Lauderdale, Fla.; or the RemoteDesktop Protocol (RDP) manufactured by the Microsoft Corporation ofRedmond, Wash.

A remote computing environment may include more than one server 206a-206 n such that the servers 206 a-206 n are logically grouped togetherinto a server farm 206, for example, in a cloud computing environment.The server farm 206 may include servers 206 that are geographicallydispersed while and logically grouped together, or servers 206 that arelocated proximate to each other while logically grouped together.Geographically dispersed servers 206 a-206 n within a server farm 206can, in some embodiments, communicate using a WAN (wide), MAN(metropolitan), or LAN (local), where different geographic regions canbe characterized as: different continents; different regions of acontinent; different countries; different states; different cities;different campuses; different rooms; or any combination of the precedinggeographical locations. In some embodiments the server farm 206 may beadministered as a single entity, while in other embodiments the serverfarm 206 can include multiple server farms.

In some embodiments, a server farm may include servers 206 that executea substantially similar type of operating system platform (e.g.,WINDOWS, UNIX, LINUX, iOS, ANDROID, SYMBIAN, etc.) In other embodiments,server farm 206 may include a first group of one or more servers thatexecute a first type of operating system platform, and a second group ofone or more servers that execute a second type of operating systemplatform.

Server 206 may be configured as any type of server, as needed, e.g., afile server, an application server, a web server, a proxy server, anappliance, a network appliance, a gateway, an application gateway, agateway server, a virtualization server, a deployment server, a SSL VPNserver, a firewall, a web server, an application server or as a masterapplication server, a server executing an active directory, or a serverexecuting an application acceleration program that provides firewallfunctionality, application functionality, or load balancingfunctionality. Other server types may also be used.

Some embodiments include a first server 206 a that receives requestsfrom a client machine 240, forwards the request to a second server 206b, and responds to the request generated by the client machine 240 witha response from the second server 206 b. First server 206 a may acquirean enumeration of applications available to the client machine 240 andwell as address information associated with an application server 206hosting an application identified within the enumeration ofapplications. First server 206 a can then present a response to theclient's request using a web interface, and communicate directly withthe client 240 to provide the client 240 with access to an identifiedapplication. One or more clients 240 and/or one or more servers 206 maytransmit data over network 230, e.g., network 101.

FIG. 2 shows a high-level architecture of an illustrative desktopvirtualization system. As shown, the desktop virtualization system maybe single-server or multi-server system, or cloud system, including atleast one virtualization server 206 configured to provide virtualdesktops and/or virtual applications to one or more client accessdevices 240. As used herein, a desktop refers to a graphical environmentor space in which one or more applications may be hosted and/orexecuted. A desktop may include a graphical shell providing a userinterface for an instance of an operating system in which local and/orremote applications can be integrated. Applications may include programsthat execute after an instance of an operating system (and, optionally,also the desktop) has been loaded. Each instance of the operating systemmay be physical (e.g., one operating system per device) or virtual(e.g., many instances of an OS running on a single device). Eachapplication may be executed on a local device, or executed on a remotelylocated device (e.g., remoted).

Enterprise Mobility Management Architecture

FIG. 3 represents an enterprise mobility technical architecture 300 foruse in an enterprise environment, a BYOD environment, or other mobileenvironments. The architecture enables a user of a mobile device 302(e.g., as client 107, 211, or otherwise) to both access enterprise orpersonal resources from a mobile device 302 and use the mobile device302 for personal use. The user may access such enterprise resources 304or enterprise services 308 using a mobile device 302 that is purchasedby the user or a mobile device 302 that is provided by the enterprise tothe user. The user may utilize the mobile device 302 for business useonly or for business and personal use. The mobile device may run an iOSoperating system, Android operating system, and/or the like. Theenterprise may choose to implement policies to manage the mobile device304. The policies may be implanted through a firewall or gateway in sucha way that the mobile device may be identified, secured or securityverified, and provided selective or full access to the enterpriseresources. The policies may be mobile device management policies, mobileapplication management policies, mobile data management policies, orsome combination of mobile device, application, and data managementpolicies. A mobile device 304 that is managed through the application ofmobile device management policies may be referred to as an enrolleddevice.

The operating system of the mobile device may be separated into amanaged partition 310 and an unmanaged partition 312. The managedpartition 310 may have policies applied to it to secure the applicationsrunning on and data stored in the managed partition. The applicationsrunning on the managed partition may be secure applications. The secureapplications may be email applications, web browsing applications,software-as-a-service (SaaS) access applications, Windows Applicationaccess applications, and the like. The secure applications may be securenative applications 314, secure remote applications 322 executed by asecure application launcher 318, virtualization applications 326executed by a secure application launcher 318, and the like. The securenative applications 314 may be wrapped by a secure application wrapper320. The secure application wrapper 320 may include integrated policiesthat are executed on the mobile device 302 when the secure nativeapplication is executed on the device. The secure application wrapper320 may include meta-data that points the secure native application 314running on the mobile device 302 to the resources hosted at theenterprise that the secure native application 314 may require tocomplete the task requested upon execution of the secure nativeapplication 314. The secure remote applications 322 executed by a secureapplication launcher 318 may be executed within the secure applicationlauncher application 318. The virtualization applications 326 executedby a secure application launcher 318 may utilize resources on the mobiledevice 302, at the enterprise resources 304, and the like. The resourcesused on the mobile device 302 by the virtualization applications 326executed by a secure application launcher 318 may include userinteraction resources, processing resources, and the like. The userinteraction resources may be used to collect and transmit keyboardinput, mouse input, camera input, tactile input, audio input, visualinput, gesture input, and the like. The processing resources may be usedto present a user interface, process data received from the enterpriseresources 304, and the like. The resources used at the enterpriseresources 304 by the virtualization applications 326 executed by asecure application launcher 318 may include user interface generationresources, processing resources, and the like. The user interfacegeneration resources may be used to assemble a user interface, modify auser interface, refresh a user interface, and the like. The processingresources may be used to create information, read information, updateinformation, delete information, and the like. For example, thevirtualization application may record user interactions associated witha GUI and communicate them to a server application where the serverapplication will use the user interaction data as an input to theapplication operating on the server. In this arrangement, an enterprisemay elect to maintain the application on the server side as well asdata, files, etc. associated with the application. While an enterprisemay elect to “mobilize” some applications in accordance with theprinciples herein by securing them for deployment on the mobile device,this arrangement may also be elected for certain applications. Forexample, while some applications may be secured for use on the mobiledevice, others may not be prepared or appropriate for deployment on themobile device so the enterprise may elect to provide the mobile useraccess to the unprepared applications through virtualization techniques.As another example, the enterprise may have large complex applicationswith large and complex data sets (e.g. material resource planningapplications) where it would be very difficult, or otherwiseundesirable, to customize the application for the mobile device so theenterprise may elect to provide access to the application throughvirtualization techniques. As yet another example, the enterprise mayhave an application that maintains highly secured data (e.g. humanresources data, customer data, engineering data) that may be deemed bythe enterprise as too sensitive for even the secured mobile environmentso the enterprise may elect to use virtualization techniques to permitmobile access to such applications and data. An enterprise may elect toprovide both fully secured and fully functional applications on themobile device as well as a virtualization application to allow access toapplications that are deemed more properly operated on the server side.In an embodiment, the virtualization application may store some data,files, etc. on the mobile phone in one of the secure storage locations.An enterprise, for example, may elect to allow certain information to bestored on the phone while not permitting other information.

In connection with the virtualization application, as described herein,the mobile device may have a virtualization application that is designedto present GUI's and then record user interactions with the GUI. Theapplication may communicate the user interactions to the server side tobe used by the server side application as user interactions with theapplication. In response, the application on the server side maytransmit back to the mobile device a new GUI. For example, the new GUImay be a static page, a dynamic page, an animation, or the like.

The applications running on the managed partition may be stabilizedapplications. The stabilized applications may be managed by a devicemanager 324. The device manager 324 may monitor the stabilizedapplications and utilize techniques for detecting and remedying problemsthat would result in a destabilized application if such techniques werenot utilized to detect and remedy the problems.

The secure applications may access data stored in a secure datacontainer 328 in the managed partition 310 of the mobile device. Thedata secured in the secure data container may be accessed by the securewrapped applications 314, applications executed by a secure applicationlauncher 318, virtualization applications 326 executed by a secureapplication launcher 318, and the like. The data stored in the securedata container 328 may include files, databases, and the like. The datastored in the secure data container 328 may include data restricted to aspecific secure application 330, shared among secure applications 332,and the like. Data restricted to a secure application may include securegeneral data 334 and highly secure data 338. Secure general data may usea strong form of encryption such as AES 128-bit encryption or the like,while highly secure data 338 may use a very strong form of encryptionsuch as AES 254-bit encryption. Data stored in the secure data container328 may be deleted from the device upon receipt of a command from thedevice manager 324. The secure applications may have a dual-mode option340. The dual mode option 340 may present the user with an option tooperate the secured application in an unsecured mode. In an unsecuredmode, the secure applications may access data stored in an unsecureddata container 342 on the unmanaged partition 312 of the mobile device302. The data stored in an unsecured data container may be personal data344. The data stored in an unsecured data container 342 may also beaccessed by unsecured applications 348 that are running on the unmanagedpartition 312 of the mobile device 302. The data stored in an unsecureddata container 342 may remain on the mobile device 302 when the datastored in the secure data container 328 is deleted from the mobiledevice 302. An enterprise may want to delete from the mobile deviceselected or all data, files, and/or applications owned, licensed orcontrolled by the enterprise (enterprise data) while leaving orotherwise preserving personal data, files, and/or applications owned,licensed or controlled by the user (personal data). This operation maybe referred to as a selective wipe. With the enterprise and personaldata arranged in accordance to the aspects described herein, anenterprise may perform a selective wipe.

The mobile device may connect to enterprise resources 304 and enterpriseservices 308 at an enterprise, to the public Internet 348, and the like.The mobile device may connect to enterprise resources 304 and enterpriseservices 308 through virtual private network connections. The virtualprivate network connections may be specific to particular applications350, particular devices, particular secured areas on the mobile device,and the like (e.g., 352). For example, each of the wrapped applicationsin the secured area of the phone may access enterprise resources throughan application specific VPN such that access to the VPN would be grantedbased on attributes associated with the application, possibly inconjunction with user or device attribute information. The virtualprivate network connections may carry Microsoft Exchange traffic,Microsoft Active Directory traffic, HTTP traffic, HTTPS traffic,application management traffic, and the like. The virtual privatenetwork connections may support and enable single-sign-on authenticationprocesses 354. The single-sign-on processes may allow a user to providea single set of authentication credentials, which are then verified byan authentication service 358. The authentication service 358 may thengrant to the user access to multiple enterprise resources 304, withoutrequiring the user to provide authentication credentials to eachindividual enterprise resource 304.

The virtual private network connections may be established and managedby an access gateway 360. The access gateway 360 may include performanceenhancement features that manage, accelerate, and improve the deliveryof enterprise resources 304 to the mobile device 302. The access gatewaymay also re-route traffic from the mobile device 302 to the publicInternet 348, enabling the mobile device 302 to access publiclyavailable and unsecured applications that run on the public Internet348. The mobile device may connect to the access gateway via a transportnetwork 362. The transport network 362 may be a wired network, wirelessnetwork, cloud network, local area network, metropolitan area network,wide area network, public network, private network, and the like.

The enterprise resources 304 may include email servers, file sharingservers, SaaS applications, Web application servers, Windows applicationservers, and the like. Email servers may include Exchange servers, LotusNotes servers, and the like. File sharing servers may include SHAREFILEservers, other file sharing services, and the like. SaaS applicationsmay include Salesforce, and the like. Windows application servers mayinclude any application server that is built to provide applicationsthat are intended to run on a local Windows operating system, and thelike. The enterprise resources 304 may be premise-based resources, cloudbased resources, and the like. The enterprise resources 304 may beaccessed by the mobile device 302 directly or through the access gateway360. The enterprise resources 304 may be accessed by the mobile device302 via a transport network 362. The transport network 362 may be awired network, wireless network, cloud network, local area network,metropolitan area network, wide area network, public network, privatenetwork, and the like.

The enterprise services 308 may include authentication services 358,threat detection services 364, device manager services 324, file sharingservices 368, policy manager services 370, social integration services372, application controller services 374, and the like. Authenticationservices 358 may include user authentication services, deviceauthentication services, application authentication services, dataauthentication services and the like. Authentication services 358 mayuse certificates. The certificates may be stored on the mobile device302, by the enterprise resources 304, and the like. The certificatesstored on the mobile device 302 may be stored in an encrypted locationon the mobile device, the certificate may be temporarily stored on themobile device 302 for use at the time of authentication, and the like.Threat detection services 364 may include intrusion detection services,unauthorized access attempt detection services, and the like.Unauthorized access attempt detection services may include unauthorizedattempts to access devices, applications, data, and the like. Devicemanagement services 324 may include configuration, provisioning,security, support, monitoring, reporting, and decommissioning services.File sharing services 368 may include file management services, filestorage services, file collaboration services, and the like. Policymanager services 370 may include device policy manager services,application policy manager services, data policy manager services, andthe like. Social integration services 372 may include contactintegration services, collaboration services, integration with socialnetworks such as Facebook, Twitter, and LinkedIn, and the like.Application controller services 374 may include management services,provisioning services, deployment services, assignment services,revocation services, wrapping services, and the like.

The enterprise mobility technical architecture 300 may include anapplication store 378. The application store 378 may include unwrappedapplications 380, pre-wrapped applications 382, and the like.Applications may be populated in the application store 378 from theapplication controller 374. The application store 378 may be accessed bythe mobile device 302 through the access gateway 360, through the publicInternet 348, or the like. The application store may be provided with anintuitive and easy to use user interface. The application store 378 mayprovide access to a software development kit 384. The softwaredevelopment kit 384 may provide a user the capability to secureapplications selected by the user by wrapping the application asdescribed previously in this description. An application that has beenwrapped using the software development kit 384 may then be madeavailable to the mobile device 302 by populating it in the applicationstore 378 using the application controller 374.

The enterprise mobility technical architecture 300 may include amanagement and analytics capability. The management and analyticscapability may provide information related to how resources are used,how often resources are used, and the like. Resources may includedevices, applications, data, and the like. How resources are used mayinclude which devices download which applications, which applicationsaccess which data, and the like. How often resources are used mayinclude how often an application has been downloaded, how many times aspecific set of data has been accessed by an application, and the like.

FIG. 4 is another illustrative enterprise mobility management system400. Some of the components of the mobility management system 300described above with reference to FIG. 3 have been omitted for the sakeof simplicity. The architecture of the system 400 depicted in FIG. 4 issimilar in many respects to the architecture of the system 300 describedabove with reference to FIG. 3 and may include additional features notmentioned above.

In this case, the left hand side represents an enrolled mobile device402 (e.g., client 107, 212, 302, etc.) with a client agent 404, whichinteracts with gateway server 406 (which includes access gateway andapplication controller functionality) to access various enterpriseresources 408 and services 409 such as Exchange, Sharepoint, PKIResources, Kerberos Resources, and Certificate Issuance Service, asshown on the right hand side above. Although not specifically shown, themobile device 402 may also interact with an enterprise application store(e.g., StoreFront) for the selection and downloading of applications.Client agent 404 may, for example, be a software application executingon a client device that facilitates communications with remote resourcesand/or virtualized resources. Gateway server 406 may, for example, be aserver or other resource that provides access to enterprise resourcesand/or cloud resources.

The client agent 404 acts as the UI (user interface) intermediary forWindows apps/desktops hosted in an Enterprise data center, which areaccessed using the HDX/ICA display remoting protocol, or any otherremoting protocol. The client agent 404 also supports the installationand management of native applications on the mobile device 402, such asnative iOS or Android applications. For example, the managedapplications 410 (mail, browser, wrapped application) shown in thefigure above are all native applications that execute locally on thedevice. Client agent 404 and an application management framework, suchas MDX (mobile experience technology) by Citrix Systems Inc. of FortLauderdale, Fla. (other application management frameworks may also beused), act to provide policy driven management capabilities and featuressuch as connectivity and SSO (single sign on) to enterpriseresources/services 408. The client agent 404 handles primary userauthentication to the enterprise, normally to the access gateway (AG)with SSO to other gateway server components. The client agent 404obtains policies from gateway server 406 to control the behavior of themanaged applications 410 on the mobile device 402. As used herein, amanaged application is one that is capable of being controlled based onand operated in accordance with independently defined and communicatedpolicy files.

The secure IPC links 412 between the native applications 410 and clientagent 404 represent a management channel, which allows client agent tosupply policies to be enforced by the application management framework414 “wrapping” each application. The IPC channel 412 also allows clientagent 404 to supply credential and authentication information thatenables connectivity and SSO to enterprise resources 408. Finally theIPC channel 412 allows the application management framework 414 toinvoke user interface functions implemented by client agent 404, such asonline and offline authentication.

Communications between the client agent 404 and gateway server 406 areessentially an extension of the management channel from the applicationmanagement framework 414 wrapping each native managed application 410.The application management framework 414 requests policy informationfrom client agent 404, which in turn requests it from gateway server406. The application management framework 414 requests authentication,and client agent 404 logs into the gateway services part of gatewayserver 406 (also known as NetScaler Access Gateway). Client agent 404may also call supporting services on gateway server 406, which mayproduce input material to derive encryption keys for the local datavaults 416, or provide client certificates which may enable directauthentication to PKI protected resources, as more fully explainedbelow.

In more detail, the application management framework 414 “wraps” eachmanaged application 410. This may be incorporated via an explicit buildstep, or via a post-build processing step. The application managementframework 414 may “pair” with client agent 614 on first launch of anapplication 410 to initialize the secure IPC channel and obtain thepolicy for that application. The application management framework 414may enforce relevant portions of the policy that apply locally, such asthe client agent login dependencies and some of the containment policiesthat restrict how local OS services may be used, or how they mayinteract with the application 410.

The application management framework 414 may use services provided byclient agent 404 over the secure IPC channel 412 to facilitateauthentication and internal network access. Key management for theprivate and shared data vaults 416 (containers) may be also managed byappropriate interactions between the managed applications 410 and clientagent 404. Vaults 416 may be available only after online authentication,or may be made available after offline authentication if allowed bypolicy. First use of vaults 416 may require online authentication, andoffline access may be limited to at most the policy refresh periodbefore online authentication is again required.

Network access to internal resources may occur directly from individualmanaged applications 410 through access gateway 406. The applicationmanagement framework 414 is responsible for orchestrating the networkaccess on behalf of each application 410. Client agent 404 mayfacilitate these network connections by providing suitable time limitedsecondary credentials obtained following online authentication. Multiplemodes of network connection may be used, such as reverse web proxyconnections and end-to-end VPN-style tunnels 418.

The mail and browser managed applications 410 have special status andmay make use of facilities that might not be generally available toarbitrary wrapped applications. For example, the mail application mayuse a special background network access mechanism that allows it toaccess Exchange over an extended period of time without requiring a fullAD logon. The browser application may use multiple private data vaultsto segregate different kinds of data.

This architecture supports the incorporation of various other securityfeatures. For example, gateway server 406 (including its gatewayservices) in some cases will not need to validate AD passwords. It canbe left to the discretion of an enterprise whether an AD password isused as an authentication factor for some users in some situations.Different authentication methods may be used if a user is online oroffline (i.e., connected or not connected to a network).

Step up authentication is a feature wherein gateway server 406 mayidentify managed native applications 410 that are allowed to have accessto highly classified data requiring strong authentication, and ensurethat access to these applications is only permitted after performingappropriate authentication, even if this means a re-authentication isrequired by the user after a prior weaker level of login.

Another security feature of this solution is the encryption of the datavaults 416 (containers) on the mobile device 402. The vaults 416 may beencrypted so that all on-device data including files, databases, andconfigurations are protected. For on-line vaults, the keys may be storedon the server (gateway server 406), and for off-line vaults, a localcopy of the keys may be protected by a user password. When data isstored locally on the device 402 in the secure container 416, it ispreferred that a minimum of AES 256 encryption algorithm be utilized.

Other secure container features may also be implemented. For example, alogging feature may be included, wherein all security events happeninginside an application 410 are logged and reported to the backend. Datawiping may be supported, such as if the application 410 detectstampering, associated encryption keys may be written over with randomdata, leaving no hint on the file system that user data was destroyed.Screenshot protection is another feature, where an application mayprevent any data from being stored in screenshots. For example, the keywindow's hidden property may be set to YES. This may cause whatevercontent is currently displayed on the screen to be hidden, resulting ina blank screenshot where any content would normally reside.

Local data transfer may be prevented, such as by preventing any datafrom being locally transferred outside the application container, e.g.,by copying it or sending it to an external application. A keyboard cachefeature may operate to disable the autocorrect functionality forsensitive text fields. SSL certificate validation may be operable so theapplication specifically validates the server SSL certificate instead ofit being stored in the keychain. An encryption key generation featuremay be used such that the key used to encrypt data on the device isgenerated using a passphrase supplied by the user (if offline access isrequired). It may be XORed with another key randomly generated andstored on the server side if offline access is not required. Keyderivation functions may operate such that keys generated from the userpassword use KDFs (key derivation functions, notably PBKDF2) rather thancreating a cryptographic hash of it. The latter makes a key susceptibleto brute force or dictionary attacks.

Further, one or more initialization vectors may be used in encryptionmethods. An initialization vector will cause multiple copies of the sameencrypted data to yield different cipher text output, preventing bothreplay and cryptanalytic attacks. This will also prevent an attackerfrom decrypting any data even with a stolen encryption key if thespecific initialization vector used to encrypt the data is not known.Further, authentication then decryption may be used, wherein applicationdata is decrypted only after the user has authenticated within theapplication. Another feature may relate to sensitive data in memory,which may be kept in memory (and not in disk) only when it's needed. Forexample, login credentials may be wiped from memory after login, andencryption keys and other data inside objective-C instance variables arenot stored, as they may be easily referenced. Instead, memory may bemanually allocated for these.

An inactivity timeout may be implemented, wherein after a policy-definedperiod of inactivity, a user session is terminated.

Data leakage from application management framework 414 may be preventedin other ways. For example, when an application 410 is put in thebackground, the memory may be cleared after a predetermined(configurable) time period. When backgrounded, a snapshot may be takenof the last displayed screen of the application to fasten theforegrounding process. The screenshot may contain confidential data andhence should be cleared.

Another security feature relates to the use of an OTP (one timepassword) 420 without the use of an AD (active directory) 422 passwordfor access to one or more applications. In some cases, some users do notknow (or are not permitted to know) their AD password, so these usersmay authenticate using an OTP 420 such as by using a hardware OTP systemlike SecurID (OTPs may be provided by different vendors also, such asEntrust or Gemalto). In some cases, after a user authenticates with auser ID, a text is sent to the user with an OTP 420. In some cases, thismay be implemented only for online use, with a prompt being a singlefield.

An offline password may be implemented for offline authentication forthose applications 410 for which offline use is permitted via enterprisepolicy. For example, an enterprise may want the enterprise applicationstore to be accessed in this manner. In this case, the client agent 404may require the user to set a custom offline password and the ADpassword is not used. Gateway server 406 may provide policies to controland enforce password standards with respect to the minimum length,character class composition, and age of passwords, such as described bythe standard Windows Server password complexity requirements, althoughthese requirements may be modified.

Another feature relates to the enablement of a client side certificatefor certain applications 410 as secondary credentials (for the purposeof accessing PKI protected web resources via the application managementframework micro VPN feature). For example, an application such as acorporate email application may utilize such a certificate. In thiscase, certificate-based authentication using ActiveSync protocol may besupported, wherein a certificate from the client agent 404 may beretrieved by gateway server 406 and used in a keychain. Each managedapplication may have one associated client certificate, identified by alabel that is defined in gateway server 406.

Gateway server 406 may interact with an enterprise special purpose webservice to support the issuance of client certificates to allow relevantmanaged applications to authenticate to internal PKI protectedresources.

The client agent 404 and application management framework 414 may beenhanced to support obtaining and using client certificates forauthentication to internal PKI protected network resources. More thanone certificate may be supported, such as to match various levels ofsecurity and/or separation requirements. The certificates may be used bythe mail and browser managed applications, and ultimately by arbitrarywrapped applications (provided those applications use web service stylecommunication patterns where it is reasonable for application managementframework to mediate HTTPS requests).

Application management framework client certificate support on iOS mayrely on importing a PKCS 12 BLOB (Binary Large Object) into the iOSkeychain in each managed application for each period of use. Applicationmanagement framework client certificate support may use a HTTPSimplementation with private in-memory key storage. The clientcertificate will never be present in the iOS keychain and will not bepersisted except potentially in “online-only” data value that isstrongly protected.

Mutual SSL may also be implemented to provide additional security byrequiring that a mobile device 402 is authenticated to the enterprise,and vice versa. Virtual smart cards for authentication to gateway server406 may also be implemented.

Both limited and full Kerberos support may be additional features. Thefull support feature relates to an ability to do full Kerberos login toAD 422, using an AD password or trusted client certificate, and obtainKerberos service tickets to respond to HTTP negotiate authenticationchallenges. The limited support feature relates to constraineddelegation in AFEE, where AFEE supports invoking Kerberos protocoltransition so it can obtain and use Kerberos service tickets (subject toconstrained delegation) in response to HTTP negotiate authenticationchallenges. This mechanism works in reverse web proxy (a.k.a. CVPN)mode, and when HTTP (but not HTTPS) connections are proxied in VPN andMicroVPN mode.

Another feature relates to application container locking and wiping,which may automatically occur upon jail-break or rooting detections, andoccur as a pushed command from administration console, and may include aremote wipe functionality even when an application 410 is not running

A multi-site architecture or configuration of the enterprise applicationstore and application controller may be supported that allows users tobe service from one of several different locations in case of failure.

In some cases, managed applications 410 may be allowed to access acertificate and private key via an API (example OpenSSL). Trustedmanaged applications 410 of an enterprise may be allowed to performspecific Public Key operations with an application's client certificateand private key. Various use cases may be identified and treatedaccordingly, such as when an application behaves like a browser and nocertificate access is required, when an application reads a certificatefor “who am I,” when an application uses the certificate to build asecure session token, and when an application uses private keys fordigital signing of important data (e.g. transaction log) or fortemporary data encryption.

Mobile Device Management Features

Having discussed several examples of the computing architecture and theenterprise mobility management architecture that may be used inproviding and/or implementing various aspects of the disclosure, anumber of embodiments will now be discussed in greater detail. Inparticular, and as introduced above, some aspects of the disclosuregenerally relate to providing mobile device management functionalities.In the description below, various examples illustrating how mobiledevice management functionalities may be provided in accordance with oneor more embodiments will be discussed.

FIG. 5 depicts a flowchart that illustrates a method of applying one ormore mobile device management policies to a managed browser inaccordance with one or more illustrative aspects discussed herein. Inone or more embodiments, the method illustrated in FIG. 5 and/or one ormore steps thereof may be performed by a computing device (e.g., genericcomputing device 201). In other embodiments, the method illustrated inFIG. 5 and/or one or more steps thereof may be embodied incomputer-executable instructions that are stored in a computer-readablemedium, such as a non-transitory computer-readable memory.

As seen in FIG. 5, the method may begin at step 505 in which a mobiledevice management (MDM) agent may be initialized. For example, in step505, a computing device (e.g., a mobile computing device, such as alaptop computer, tablet computer, smart phone, or other type of mobiledevice) may initialize an MDM agent (e.g., by executing, configuring,and/or otherwise initiating the MDM agent) on the device. In one or morearrangements, the MDM agent may be an application, service, or processthat is configured to run on the device and is further configured tocollect and/or otherwise obtain information about device, includinginformation about the current state of the device. For example, the MDMagent may be configured to collect and/or maintain device-level stateinformation, such as state information that is indicative of theoperating systems and/or applications that are stored on and/or runningon the device, state information that is indicative of the networkconnections that are available to and/or being used by the device,and/or state information that is indicative of the current location ofwhere the device is located and/or being used (e.g., in terms ofgeographic coordinates; in terms of semantic labels, such as “home” or“work;” etc.). While these types of state information are listed here asexamples of the types of device-level state information that may becollected and/or maintained by the MDM agent in some instances,additional and/or alternative types of state information may besimilarly collected and/or maintained by the MDM agent in otherinstances.

In addition to collecting and maintaining various types of stateinformation, the MDM agent may be further configured to evaluate,analyze, and/or otherwise monitor the various types of state informationbeing collected. For example, the MDM agent may be configured toperiodically determine whether state information has changed and/orexecute one or more actions based on detected changes in the stateinformation. In some instances, the MDM agent may provide the stateinformation to one or more other applications, services, and/orprocesses. For instance, in some examples discussed below, the MDM agentand/or one or more other applications, services, and/or processes on thedevice may analyze and/or otherwise process the state informationcollected by the MDM agent in enforcing mobile device managementpolicies and/or performing other actions in connection with mobiledevice management policies. For instance, some mobile device managementpolicies may define permitted and/or prohibited functions and/orapplications based on different sets of circumstances that may beevaluated using the device state information collected by the MDM agent.In these and/or other ways, the state information may be used inenforcing behavior limitations on various functions and/or applications,such as a managed browser in the examples discussed below.

By collecting, maintaining, evaluating, analyzing, and/or otherwisemonitoring device-level state information (which may, e.g., includeinformation about what applications are installed and/or running on thedevice, where the device is located, what networks the device isconnected to, and/or other device-level considerations that may, forinstance, be distinguished from application-level considerations), acomputing device and/or an MDM agent running on a computing device maybe able to evaluate and make one or more policy decisions that cannot bemade based only on information known by a single application. As aresult, such a computing device and/or an MDM agent may be able toprovide more control over policy management and enforcement than someconventional application management frameworks (which may, e.g.,evaluate and make policy decisions based only on application-levelinformation and, as a result, may fail to provide the same level offunctionality as can be provided when device-level state information isused).

In some embodiments, after an MDM agent is initialized on a computingdevice (e.g., in step 505), the computing device and/or the MDM agentrunning on the computing device may provide information to, and/or mayreceive one or more commands from, one or more policy management servers(which may, e.g., impact the state of the device). For example, inproviding information to one or more policy management servers, thecomputing device and/or the MDM agent running on the computing devicemay send state information (which may, e.g., include various types ofdevice state information as discussed herein) to the one or more policymanagement servers, which may, for instance, be configured to analyzesuch information and provide commands and/or other information back tothe computing device and/or the MDM agent running on the computingdevice. In addition, in receiving commands from one or more policymanagement servers, the computing device and/or the MDM agent running onthe computing device may receive new and/or updated policies and/orother policy information, remotely analyzed and/or otherwise processeddevice state information (e.g., the one or more policy managementservers may remotely analyze and/or otherwise process state informationcollected by, obtained from, and/or related to the device, and thenprovide such analyzed and/or processed state information back to thedevice), and/or other information.

In step 510, a managed browser may be loaded. For example, in step 510,the computing device (e.g., the computing device that initialized theMDM agent in step 505) may load a managed browser (e.g., by openingand/or otherwise initiating execution of the managed browser). In someembodiments, the managed browser may be a web browser that is configuredto provide one or more enterprise security features. For example, themanaged browser may be configured to provide and/or operate in a“managed” mode in which one or more mobile device management policies(which may, e.g., be defined and/or distributed by an enterprise) may beenforced on the browser (e.g., such that various functions of thebrowser, including the browser's ability to access and/or interact withenterprise resources and/or other content may be restricted inaccordance with one or more policies and/or based on device stateinformation), and the managed browser may be configured to provideand/or operate in an “unmanaged” mode in which policies might not beenforced, but the browser's ability to access specific resources,including one or more enterprise resources, may be restricted.Additionally or alternatively, the managed browser may extend variousenterprise security features for use with mobile device applicationsthat may be configured to run within the browser. For example, anenterprise may require some or all of its employees and/or other usersto install and use the managed browser on their respective mobiledevices in a bring-your-own-device (BYOD) scheme to reduce enterprisesecurity risks. In addition, the managed browser can, for instance, beused to enable mobile device users to access a corporate intranet and/orother enterprise resources without connecting to a virtual privatenetwork (VPN). For instance, the managed browser may implement and/orprovide tunneling functionalities, such as those discussed in greaterdetail below, to enable such access to a corporate intranet and/or otherenterprise resources.

In step 515, one or more mobile device management policies may beapplied to the managed browser. For example, in step 515, the computingdevice and/or the MDM agent running on the computing device may applyone or more policies to the managed browser, such that certain functionsof the managed browser may be selectively enabled and/or disabled basedon the state information being collected by the MDM agent. In one ormore arrangements, the mobile device management policies that areapplied to the managed browser may additionally or alternatively controlfunctionalities of the computing device during execution of the managedbrowser. In some instances, the mobile device management policies mayadditionally or alternatively control functionalities of the computingdevice even when the managed browser is not being executed on thecomputing device (e.g., and is instead merely present on the computingdevice).

In some embodiments, applying the one or more mobile device managementpolicies to the managed browser may include providing state informationto one or more policy management servers and receiving managementinformation from the one or more policy management servers. For example,in applying the one or more mobile device management policies to themanaged browser (e.g., in step 515), the computing device and/or the MDMagent running on the computing device may provide state information(which may, e.g., include at least some of the state information beingmonitored by the MDM agent loaded in step 505) to one or more policymanagement servers by connecting to, and subsequently sending stateinformation to, the one or more policy management servers. The one ormore policy management servers may, for instance, be operated and/orcontrolled by an enterprise that is distributing and/or otherwiseimplementing the one or more policies which are to be applied to themanaged browser. Additionally or alternatively, the one or more policymanagement servers may be configured to analyze state information(which, e.g., may be received from one or more MDM agents on one or moredevices) and generate management information (which, e.g., may then beprovided to, and subsequently received by, the one or more MDM agents onone or more devices). For example, after providing the state informationto the one or more policy management servers, the computing deviceand/or the MDM agent running on the computing device may receivemanagement information from the one or more policy management servers,and such management information may be generated by the one or morepolicy management servers based on the provided state information. Insome instances, the management information may include one or morecommands to be executed by the computing device and/or by the MDM agent.For example, the management information may include one or more commandsthat, when executed, cause the computing device and/or the MDM agent toselectively enable and/or selectively disable one or more functions ofthe managed browser. In other instances, the management information mayinclude one or more policy updates. For example, the managementinformation may include one or more policy updates that reflect one ormore new and/or updated policies to be applied to the managed browser.

In some embodiments, at least one policy of the one or more mobiledevice management policies may be received from a policy managementserver. For example, the computing device and/or the MDM agent on thecomputing device may receive one or more policies from a policymanagement server that is controlled and/or used by the enterprise,which may send and/or otherwise provide the one or more policies to thecomputing device and/or the MDM agent on the computing device to beapplied to the managed browser on the computing device. In someinstances, the mobile device management policies that are received fromthe policy management server may be generic policies that are configuredto be applied to all users associated with the enterprise. In otherinstances, the mobile device management policies that are received fromthe policy management server may be user-specific policies that areconfigured to be applied to the particular user of the computing deviceand/or role-specific policies that are configured to be applied to usershaving a particular role (e.g., sales, accounting, legal, engineering,executive, etc.) within the enterprise.

In step 520, state information associated with the device may bemonitored. For example, in step 520, the computing device and/or the MDMagent running on the computing device may monitor state information thatis indicative of the current state of the computing device (e.g., bycollecting, obtaining, evaluating, and/or analyzing such stateinformation). As discussed above, some examples of the types of thedevice state information that may be monitored by the MDM agent mayinclude information about the operating systems and/o applications thatare stored on and/or running on the device, information about thenetwork connections that are available to and/or being used by thedevice, and/or information about the current location of the device.

In step 525, one or more behavior limitations may be enforced on themanaged browser. For example, in step 525, the computing device and/orthe MDM agent running on the computing device may enforce one or morebehavior limitations on the managed browser based on the stateinformation (e.g., the state information collected and/or analyzedduring the monitoring of step 520). For instance, in enforcing one ormore behavior limitations on the managed browser, the computing deviceand/or the MDM agent running on the computing device may disable certainfunctions within the managed browser based on the state informationindicating, e.g., that the computing device is located in a particularplace or being used in a certain way. For example, certain functionsmight be disabled within the managed browser to prevent a user fromaccessing enterprise resources and/or other enterprise data if locationinformation included in the state information indicates that the deviceis being used in a location that has not been previously registered asthe user's home location or work location.

In some embodiments, enforcing the one or more behavior limitations onthe managed browser may include restricting access to at least onenetwork resource. For example, in enforcing the one or more behaviorlimitations on the managed browser to restrict access to one or morenetwork resources, the computing device and/or the MDM agent running onthe computing device may limit, block, and/or otherwise control accessto certain websites and/or other network-accessible information (e.g.,using a blacklist of prohibited websites, a whitelist of permittedwebsites, etc.). In some instances, restricting access to one or morenetwork resources may include limiting, blocking, and/or otherwisecontrolling access to enterprise resources and/or other enterprise datathat may be accessible via one or more public and/or private networks.

In some embodiments, enforcing the one or more behavior limitations onthe managed browser may include selectively disabling at least onefunction of the managed browser based on location information associatedwith the computing device. For example, in enforcing the one or morebehavior limitations on the managed browser, the computing device and/orthe MDM agent running on the computing device may apply one or morelocation-based policies to the managed browser that selectively restrictand/or permit certain functions of the managed browser when the deviceis in certain locations. For instance, a location-based policy mayprevent the managed browser (and/or one or more functions within themanaged browser) from being used when the device is or is not in one ormore particular locations. Another location-based policy may, forinstance, limit the websites, applications, and/or other resources thatcan be accessed using the managed browser when the device is or is notin one or more particular locations. In some instances, a location-basedpolicy may define one or more areas in which the policy does or does notapply, and the one or more areas may be defined geographically (e.g., interms of geographic coordinates) and/or semantically (e.g., using labelssuch as “home” or “work”).

In some embodiments, enforcing the one or more behavior limitations onthe managed browser may include selectively disabling at least onefunction of the managed browser based on application inventoryinformation associated with the computing device. For example, inenforcing the one or more behavior limitations on the managed browser,the computing device and/or the MDM agent running on the computingdevice may selectively disable one or more functions of the managedbrowser based on application inventory information associated with thecomputing device. Such application inventory information may, forinstance, include a listing of the applications that are running on thecomputing device, installed on the computing device, and/or otherwisepresent on the computing device, as well as status information abouteach of the applications included in the listing (e.g., indicatingwhether the application is open, whether the application is beingexecuted locally, whether the application is being executed remotely,whether the application is being run inside the managed browser, etc.)and/or other information about the applications. For instance, if one ormore specific applications are running on the computing device,installed on the computing device, and/or otherwise present on thecomputing device, the computing device and/or the MDM agent running onthe computing device may determine to selectively disable one or morefunctions of the managed browser, which may, in some instances, includeselectively preventing the managed browser from accessing specificenterprise resources, modifying specific enterprise data, and/orexecuting other functions.

In some embodiments, enforcing the one or more behavior limitations onthe managed browser may include selectively wiping one or more cachesassociated with the managed browser. For example, in enforcing the oneor more behavior limitations on the managed browser, the computingdevice and/or the MDM agent running on the computing device may applyone or more cache-clearing policies to the managed browser that causeone or more caches of the managed browser to be selectively wiped (e.g.,by the computing device, by the MDM agent running on the computingdevice, by the managed browser itself, etc.) in certain circumstances.For instance, a cache-clearing policy may cause one or more caches ofthe managed browser to be selectively wiped based on the stateinformation indicating that the device is being used in a particularlocation and/or being used in a particular way. In selectively wiping acache of the managed browser, the computing device and/or the MDM agentrunning on the computing device may delete all of the data included inthe cache or only some of the data included in the cache (e.g., onlymanaged enterprise data may be deleted, while unmanaged personal datamight not be deleted). Additionally or alternatively, a cache-clearingpolicy may be used by a network administrator to actively initiate aprocess in which one or more caches of one or more managed browsers(e.g., on various devices) are wiped.

In some embodiments, applying one or more mobile device managementpolicies to the managed browser may include determining that a first setof policies of one or more sets of policies is applicable to a user ofthe managed browser based on identity information associated with theuser, and subsequently determining to apply the first set of policies tothe managed browser. For example, different policies may be applied fordifferent users of the managed browser. In applying one or more mobiledevice management policies to the managed browser, the computing deviceand/or the MDM agent running on the computing device thus may determinean appropriate set of policies to be applied based on identityinformation about the current user of the computing device (e.g., basedon a user account that is currently logged into the computing device).Specific sets of policies may, for instance, be imposed on particularusers and/or particular groups of users. For example, a first set ofpolicies may be applied when a user is part of a first group within theenterprise or has a first role within the enterprise, and a second setof policies (which may, e.g., be different from the first set ofpolicies) may be applied when the user is part of a second group withinthe enterprise or has a second role within the enterprise (which may,e.g., be different from the first role).

FIG. 6 depicts a flowchart that illustrates a method of applying one ormore mobile device management policies to application tunnelingfunctionalities in accordance with one or more illustrative aspectsdiscussed herein. In one or more embodiments, the method illustrated inFIG. 6 and/or one or more steps thereof may be performed by a computingdevice (e.g., generic computing device 201). In other embodiments, themethod illustrated in FIG. 6 and/or one or more steps thereof may beembodied in computer-executable instructions that are stored in acomputer-readable medium, such as a non-transitory computer-readablememory.

As seen in FIG. 6, the method may begin at step 605 in which a mobiledevice management (MDM) agent may be initialized. For example, in step605, a computing device (e.g., a mobile computing device, such as alaptop computer, tablet computer, smart phone, or other type of mobiledevice) may initialize an MDM agent, similar to how such an MDM agentmay be initialized in step 505 (discussed above). In one or morearrangements, after an MDM agent is initialized on a computing device(e.g., in step 605), the computing device and/or the MDM agent runningon the computing device may provide information to, and/or may receiveone or more commands from, one or more policy management servers (whichmay, e.g., impact the state of the device), similar to how suchinformation may be provided and how such commands may be received in theexamples discussed above.

In step 610, state information associated with a mobile computing devicemay be monitored by the mobile device management agent. For example, instep 610, the mobile computing device and/or the MDM agent running onthe mobile computing device may collect, maintain, evaluate, analyze,and/or otherwise monitor various types of state information, similar tohow such state information may be monitored by the MDM agent and/or thecomputing device in the examples discussed above (e.g., with respect toFIG. 5).

In some embodiments, monitoring the state information may includeproviding at least some of the state information to one or more policymanagement servers and receiving management information from the one ormore policy management servers. For example, in monitoring the stateinformation (e.g., in step 610), the computing device and/or the MDMagent running on the computing device may provide at least some of thestate information monitored by the MDM agent to one or more policymanagement servers by connecting to, and subsequently sending the stateinformation to, the one or more policy management servers. The one ormore policy management servers may, for instance, be operated and/orcontrolled by an enterprise that is distributing and/or otherwiseimplementing one or more policies to be applied to application tunnelingfunctionalities, as discussed below. Additionally or alternatively, theone or more policy management servers may be configured to analyze stateinformation (which, e.g., may be received from one or more MDM agents onone or more devices) and generate management information (which, e.g.,may then be provided to, and subsequently received by, the one or moreMDM agents on one or more devices). For example, after providing thestate information to the one or more policy management servers, thecomputing device and/or the MDM agent running on the computing devicemay receive management information from the one or more policymanagement servers, and such management information may be generated bythe one or more policy management servers based on the provided stateinformation. In some instances, the management information may includeone or more commands to be executed by the computing device and/or bythe MDM agent. For example, the management information may include oneor more commands that, when executed, cause the computing device and/orthe MDM agent to selectively enable and/or selective disable applicationtunneling functionalities for one or more specific applications, asdiscussed below. In other instances, the management information mayinclude one or more policy updates. For example, the managementinformation may include one or more policy updates that reflect one ormore new and/or updated policies to be applied to the applicationtunneling functionalities.

In some embodiments, monitoring the state information may includeidentifying one or more applications that are present on the mobilecomputing device. For example, in identifying one or more applicationsthat are present on the mobile computing device, the mobile computingdevice and/or the MDM agent running on the mobile computing device mayinspect one or more storage devices (which may, e.g., be connected toand/or otherwise accessible to the computing device) and/or installationlogs (which may, e.g., be maintained by the computing device) todetermine what application(s) are stored on the computing device,installed on the computing device, previously run on the computingdevice, and/or currently running on the computing device.

In some embodiments, monitoring the state information may includeidentifying one or more network connections that are used by the mobilecomputing device. For example, in identifying one or more networkconnections that are used by the mobile computing device, the mobilecomputing device and/or the MDM agent running on the mobile computingdevice may inspect one or more network interfaces and/or other networkdevices (which may, e.g., be connected to and/or otherwise usable by thecomputing device) and/or one or more connection logs (which may, e.g.,be maintained by the computing device) to determine what network(s) areaccessible to and/or in range of the computing device, what network(s)that computing device has previously connected to, and/or whatnetwork(s) the computing device is currently connected to.

In some embodiments, monitoring the state information may includedetermining current location information for the mobile computingdevice. For example, in determining current location information for themobile computing device, the mobile computing device and/or the MDMagent running on the mobile computing device may determine and/or causeone or more other components (e.g., a GPS receiver, other positioningcomponents, etc.) and/or devices to determine a current position of themobile computing device. In some instances, the location information mayinclude geographic coordinates that are indicative of the currentposition of the mobile computing device. In some instances, the locationinformation may include semantic labels that are indicative of thecurrent position of the mobile computing device relative to one or moreuser-specific landmarks (e.g., “home” or “work”). Any and/or all of thislocation may, for instance, be used by the mobile computing deviceand/or by the MDM agent running on the mobile computing device inapplying and/or enforcing one or more location-based mobile devicemanagement policies.

In step 615, one or more policies may be applied to applicationtunneling functionalities on the mobile computing device based on themonitored state information. For example, in step 615, the mobilecomputing device and/or the MDM agent running on the mobile computingdevice may apply one or more mobile device management policies toapplication tunneling functionalities on the computing device, such thatcertain aspects of the application tunneling functionalities may beselectively enabled and/or disabled based on the state information beingmonitored by the MDM agent. In one or more arrangements, the applicationtunneling functionalities may, for instance, enable particularapplications and/or other processes running on the mobile computingdevice to establish VPN-style tunnels to enterprise servers and/or otherenterprise resources (which may, e.g., enable such applications tosecurely access enterprise data).

In some embodiments, applying the one or more policies to theapplication tunneling functionalities on the mobile computing device mayinclude enabling at least one application tunnel. For example, inenabling at least one application tunnel, the computing device and/orthe MDM agent running on the computing device may, based on one or moremobile device management policies (which may, e.g., dictatecircumstances in which applications tunnels can and/or cannot beestablished to specific resources, including specific enterpriseresources), permit and/or establish one or more application tunnels toone or more resources (which may, e.g., include one or more enterpriseresources). In permitting and/or establishing the one or moreapplication tunnels, the computing device and/or the MDM agent runningon the computing device may evaluate one or more mobile devicemanagement policies in view of device state information to determinewhether an application tunnel can be permitted to be established to aspecific resource (which may, e.g., be an enterprise resource). If, forinstance, the computing device and/or the MDM agent running on thecomputing device determines that the application tunnel can be permittedto be established to the specific resource, then the computing deviceand/or the MDM agent running on the computing device may establish theapplication tunnel and/or cause the application tunnel to be established(e.g., by connecting to and/or otherwise communicating with the specificresource). If, on the other hand, the computing device and/or the MDMagent running on the computing device determines that the applicationtunnel cannot be permitted to be established to the specific resource,then the computing device and/or the MDM agent running on the computingdevice may prevent the application tunnel from being established.

In some embodiments, at least one policy of the one or more policies(that, e.g., are applied to the application tunneling functionalities)may be received from a policy management server. For example, beforeapplying the one or more policies to the application tunnelingfunctionalities, the computing device and/or the MDM agent running onthe computing device may receive one or more policies from a policymanagement server, and the one or more received policies may, forinstance, define specific circumstances in which certain applicationtunneling functionalities should be selectively enabled and/orselectively disabled for specific applications and/or services. Afterreceiving such policies from such a policy management server (which may,e.g., be operated and/or controlled by an enterprise that isimplementing the policies), the computing device and/or the MDM agentrunning on the computing device then may apply one or more of thereceived policies to the application tunneling functionalities on themobile computing device (e.g., by selectively enabling and/orselectively disabling applying tunneling functionalities for specificapplications in accordance with the policies and/or based on devicestate information).

In some embodiments, applying the one or more policies to theapplication tunneling functionalities on the mobile computing device mayinclude selectively disabling the application tunneling functionalitiesfor one or more applications on the mobile computing device based on themonitored state information. For example, in selectively disabling theapplication tunneling functionalities for one or more applications, thecomputing device and/or the MDM agent running on the computing devicemay, based on one or more mobile device management policies (which may,e.g., dictate how state information affects application tunnelingfunctionalities), determine to disable and/or subsequently disableapplication tunneling functionalities for a particular application basedon the state information indicating that certain conditions are and/orare not met. For instance, the computing device and/or the MDM agentrunning on the computing device may selectively disable applicationtunneling functionalities for one or more applications based on certainapplication(s) being present on the device, based on the device beingconnected to certain network(s), and/or based on the device beinglocated in a particular location.

In some embodiments, applying the one or more policies to theapplication tunneling functionalities on the mobile computing device mayinclude selectively enabling and/or selectively disabling tunneling toone or more specific resources. For example, in selectively enablingand/or selectively disabling tunneling to one or more specificresources, the computing device and/or the MDM agent running on thecomputing device may, based on one or more mobile device managementpolicies, the computing device and/or the MDM agent may selectivelyactivate and/or allow one or more specific applications and/or otherprocesses to establish and/or use tunnels to one or more specificenterprise resources. Additionally or alternatively, in selectivelyenabling and/or selectively disabling tunneling to one or more specificresources, the computing device and/or the MDM agent running on thecomputing device may selectively prohibit and/or prevent one or morespecific applications and/or other processes from establishing and/orotherwise using tunnels from one or more specific enterprise resources.In addition, the computing device and/or the MDM agent running on thecomputing device may, for instance, determine to selectively enableand/or selectively disable tunneling to one or more specific resourcesbased on one or more mobile device management policies and/or based ondevice state information (which may, e.g., monitored by the computingdevice and/or by the MDM agent, as discussed above). Thus, changes indevice state information may cause the computing device and/or the MDMagent running on the computing device to selectively enable and/orselectively disable tunneling to one or more specific enterpriseresources.

In some embodiments, applying the one or more policies to theapplication tunneling functionalities on the mobile computing device mayinclude restricting content that is exchangeable via the applicationtunneling functionalities. For example, in restricting the content thatis exchangeable via the application tunneling functionalities, thecomputing device and/or the MDM agent running on the computing devicemay, based on one or more mobile device management policies, determineto prevent and/or subsequently prevent one or more types of data frombeing sent and/or received via VPN-style tunnels that may be establishedand/or used by various applications in accessing and/or interacting withvarious enterprise resources. For instance, the computing device and/orthe MDM agent running on the computing device may prevent certain typesof data, such as highly-secure data or extremely confidential data, frombeing exchanged via the application tunneling functionalities based oncertain application(s) being present on the device, based on the devicebeing connected to certain network(s), and/or based on the device beinglocated in a particular location.

In some embodiments, applying the one or more policies to theapplication tunneling functionalities on the mobile computing device mayinclude restricting operations that are performable via the applicationtunneling functionalities. For example, in restricting the operationsthat are performable via the application tunneling functionalities, thecomputing device and/or the MDM agent running on the computing devicemay, based on one or more mobile device management policies, preventcertain types of operations from being performed via VPN-style tunnelsthat may be established and/or used by various applications in accessingand/or interacting with various enterprise resources. For instance, thecomputing device and/or the MDM agent running on the computing devicemay prevent certain types of operations, such as write operations, frombeing performed (e.g., while allowing read operations to be performed)based on certain application(s) being present on the device, based onthe device being connected to certain network(s), and/or based on thedevice being located in a particular location.

FIG. 7 depicts a flowchart that illustrates a method of applying one ormore mobile device management policies to a device cloud in accordancewith one or more illustrative aspects discussed herein. In one or moreembodiments, the method illustrated in FIG. 7 and/or one or more stepsthereof may be performed by a computing device (e.g., generic computingdevice 201). In other embodiments, the method illustrated in FIG. 7and/or one or more steps thereof may be embodied in computer-executableinstructions that are stored in a computer-readable medium, such as anon-transitory computer-readable memory.

As seen in FIG. 7, the method may begin at step 705 in which a mobiledevice management (MDM) agent may be initialized. For example, in step705, a computing device (e.g., a mobile computing device, such as alaptop computer, tablet computer, smart phone, or other type of mobiledevice) may initialize an MDM agent, similar to how such an MDM agentmay be initialized in step 505 (discussed above). In one or morearrangements, after an MDM agent is initialized on a computing device(e.g., in step 705), the computing device and/or the MDM agent runningon the computing device may provide information to, and/or may receiveone or more commands from, one or more policy management servers (whichmay, e.g., impact the state of the device), similar to how suchinformation may be provided and how such commands may be received in theexamples discussed above. For example, after providing at least some ofthe monitored state information to the one or more policy managementservers, the computing device and/or the MDM agent running on thecomputing device may receive one or more commands from the one or morepolicy management servers based on the state information that wasprovided (e.g., as the one or more policy management servers may receivethe provided state information, analyze the provided state informationin view of one or more mobile device management policies, generate oneor more commands based on the provided state information and/or based onthe one or more policies, and return the generated commands to thecomputing device and/or the MDM agent running on the computing device).

In step 710, a connection may be established to at least one otherdevice to initiate a device cloud. For example, in step 710, thecomputing device may establish a network connection to one or more othercomputing devices to initiate a device cloud. In one or morearrangements, a device cloud may, for instance, enable two or morecomputing devices to be used in combination with each other to perform asingle function or task. In typical instances, the devices may be usedby the same user and/or both may be located near each other (e.g.,within a predetermined distance of each other) and/or near the user(e.g., within a predetermined distance of the user). In some instances,a device cloud may be used to provide a function that is not supportedby one of the user's devices, but is supported by another one of theuser's devices. For example, a user of a laptop computer may wish toconduct a video conference with another person, but the laptop computermight not include a camera. If the user also has a smart phone (or othercomputing device) that includes a camera, however, a device cloud may beused to dynamically link the functionalities provided by the two devicesso that they may be used in providing the video conference. Inparticular, in this example, a device cloud may be established such thatthe user's smart phone may be used as a video input device for the videoconference, while the user's laptop computer can be used to performother functions that may be involved in conducting the video conference(e.g., establishing the connection to the other person's device(s),providing text-based chat functionalities, etc.). While this exampleillustrates some ways in which a device cloud may be used to extend thefunctionalities of one or more devices in some embodiments, such adevice cloud may be used in other ways to extend additional and/oralternative functionalities of various devices in other embodiments.

In one or more arrangements, the two or more computing devices that maybe involved in a device cloud may communicate in various ways (e.g., toexchange information to facilitate the one or more functions that may beprovided via device cloud). For example, the two or more computingdevices may communicate using wireless LAN (WLAN) interfaces and/orsignals, cellular interfaces and/or signals, Bluetooth interfaces and/orsignals, and/or any other communication interfaces and/or signals. Insome instances, an orchestration engine executing on one or more of thecomputing devices involved in the device cloud may manage interactionsand/or other communications between the computing devices involved inthe device cloud.

In step 715, one or more policies may be applied to the device cloud. Inone or more embodiments, the one or more policies may be configured toallocate a first role to the computing device and a second role to theat least one other device that is participating in the device cloud. Forexample, in step 715, the computing device and/or the MDM agent runningon the computing device may apply one or more mobile device managementpolicies to the device cloud established in step 710. Additionally oralternatively, the one or more mobile device management policies maydefine different roles to be performed by each of the devices involvedin the device cloud. For instance, in the example discussed aboveinvolving a video conference, the mobile device management policies mayallocate a video capturing role to the smart phone involved in thedevice cloud, and the mobile device management policies may allocate aconnection maintenance role to the laptop computer involved in thedevice cloud. In addition, in applying one or more policies to thedevice cloud, the computing device and/or the MDM agent running on thecomputing device may monitor state information being collected by theMDM agent (e.g., similar to how such state information may be monitoredin the examples discussed above) and subsequently may enforce the one ormore policies based on the state information.

In some embodiments, the one or more policies applied to the devicecloud may be configured to control whether one or more specific devicescan connect to and/or participate in the device cloud and/or one or moreother device clouds. In instances in which such policies are applied tothe device cloud, the computing device and/or the MDM agent running onthe computing device may, for example, periodically monitor the devicesthat are participating in, requesting access to, and/or are otherwiseinvolved in the device cloud. Such monitoring may, for instance, enablethe computing device and/or the MDM agent running on the computingdevice to determine whether a particular device can join the devicecloud and/or whether a particular device should be removed from thedevice cloud.

In some embodiments, applying the one or more policies to the devicecloud may include restricting at least one function on the computingdevice. For example, in applying one or more policies to the devicecloud, the computing device and/or the MDM agent running on thecomputing device may selectively enable, selectively disable, and/orotherwise control one or more functions on the computing device.Additionally or alternatively, in applying one or more policies to thedevice cloud, the computing device and/or the MDM agent running on thecomputing device may cause one or more functions on the other computingdevice(s) participating in the device cloud to be selectively enabled,selectively disabled, and/or otherwise controlled. In some instances,the mobile device management policies that are applied to the devicecloud (e.g., by the computing device and/or by the MDM agent) mayselectively enable and/or disable certain functionalities while thedevice cloud is connected and/or after a device cloud session has beenconcluded (e.g., after the device cloud is disconnected). For example,the mobile device management policies that are applied to the devicecloud may prevent a user of the computing device from accessing and/orediting enterprise data and/or enterprise resources while the devicecloud is connected. In another example, the mobile device managementpolicies that are applied to the device cloud may prevent a user of thecomputing device from copying and/or pasting enterprise data to one ormore chat windows while the device cloud is connected.

In some embodiments, applying the one or more policies to the devicecloud includes controlling at least one application on the computingdevice. For example, in applying the one or more policies to the devicecloud, the computing device and/or the MDM agent running on thecomputing device may selectively enable, selectively disable, and/orotherwise control one or more applications on the computing device.Additionally or alternatively, in applying one or more policies to thedevice cloud, the computing device and/or the MDM agent running on thecomputing device may cause one or more applications on the othercomputing device(s) participating in the device cloud to be selectivelyenabled, selectively disabled, and/or otherwise controlled. In someinstances, the mobile device management policies that are applied to thedevice cloud (e.g., by the computing device and/or by the MDM agent) mayselectively enable and/or disable certain applications while the devicecloud is connected and/or after a device cloud session has beenconcluded (e.g., after the device cloud is disconnected).

In some embodiments, controlling at least one application on thecomputing device may include disabling the application. For example, inapplying one or more policies to the device cloud and/or in controllingan application, the computing device and/or the MDM agent running on thecomputing device may disable an application (e.g., by preventing theapplication from being opened and/or executed, by closing theapplication if it is already open, etc.).

In some embodiments, controlling at least one application on thecomputing device may include causing one or more applications involvedin the device cloud to create an application tunnel. For example, inapplying one or more policies to the device cloud and/or in controllingan application, the computing device and/or the MDM agent running on thecomputing device may cause one or more applications (which may, e.g., berunning on the device and/or running on one or more other devicesparticipating in the device cloud) to create one or more VPN styletunnels (e.g., to access and/or otherwise interact with one or moreenterprise resources).

In step 720, state information associated with the computing device maybe evaluated. For example, in step 720, the computing device and/or theMDM agent running on the computing device may evaluate various types ofstate information that may have been collected and/or monitored by theMDM agent. In some instances, in evaluating the state information, thecomputing device and/or the MDM agent running on the computing devicemay analyze network connection information associated with the computingdevice. Such network connection information may, for instance, includeinformation identifying what network(s) the device is connected to,various properties associated with the identified network(s), and/orother information associated with networks and/or network connectionsthat are being used by and/or are available to the computing device.Additionally or alternatively, in evaluating the state information, thecomputing device and/or the MDM agent running on the computing devicemay analyze location information associated with the computing device.Such location information may, for instance, include informationidentifying where the device is currently located, where the device hasbeen previously located, in which direction and/or at what speed thedevice may be traveling, and/or other information indicative of thecurrent location of the device.

In some embodiments, the state information that is evaluated in step 720may include state information that is associated with the at least oneother device participating in the device cloud. For example, in step720, the computing device and/or the MDM agent running on the computingdevice may additionally or alternatively evaluate state information thatis obtained from and/or otherwise associated with the one or more otherdevices that are participating in the device cloud. The stateinformation obtained from the other device(s) may be similar to thestate information being monitored by the MDM agent and may, forinstance, include information about what programs are present on theother devices, whether the other devices are located, what networks theother devices are connected to, and so on.

In step 725, it may be determined, based on the state information,whether at least one policy of the one or more policies has beenviolated. For example, in step 725, the computing device and/or the MDMagent running on the computing device may determine, based on the stateinformation evaluated in step 720 (which may, e.g., include locationinformation and/or network connection information, as discussed above),whether one or more of the policies that were applied to the devicecloud in step 710 have been violated.

If it is determined, in step 725, that at least one policy of the one ormore policies has been violated, then in step 730, the device cloud maybe disconnected. For example, in step 730, the computing device and/orthe MDM agent running on the computing device may disconnect theconnection the device cloud and/or otherwise cause the device cloud tobe disconnected (e.g., by sending a disconnection request and/or otherinformation to one or more remote servers and/or devices).

On the other hand, if it is determined in step 725, that at least onepolicy of the one or more policies has not been violated, then themethod may end. Additionally or alternatively, the method may continuein a loop, such that steps 720 and 725 may be periodically repeated(e.g., to reevaluate the state information and/or determine whether oneor more policies have been violated). In addition, in instances in whichthe computing device and/or the MDM agent running on the computingdevice obtained and/or evaluated state information from one or moreother devices participating in the device cloud, similar policy analysismay be performed (e.g., in step 725) using the state informationobtained from the other device(s) and similar disconnection actions maybe performed (e.g., in step 730) if a policy violation is identified.

FIG. 8 depicts a flowchart that illustrates a method of selectivelydisabling one or more modes of a multi-mode application based on one ormore mobile device management policies in accordance with one or moreillustrative aspects discussed herein. In one or more embodiments, themethod illustrated in FIG. 8 and/or one or more steps thereof may beperformed by a computing device (e.g., generic computing device 201). Inother embodiments, the method illustrated in FIG. 8 and/or one or moresteps thereof may be embodied in computer-executable instructions thatare stored in a computer-readable medium, such as a non-transitorycomputer-readable memory.

As seen in FIG. 8, the method may begin at step 805 in which a mobiledevice management (MDM) agent may be initialized. For example, in step805, a computing device (e.g., a mobile computing device, such as alaptop computer, tablet computer, smart phone, or other type of mobiledevice) may initialize an MDM agent, similar to how such an MDM agentmay be initialized in step 505 (discussed above). In one or morearrangements, after an MDM agent is initialized on a computing device(e.g., in step 805), the computing device and/or the MDM agent runningon the computing device may provide information to, and/or may receiveone or more commands from, one or more policy management servers (whichmay, e.g., impact the state of the device), similar to how suchinformation may be provided and how such commands may be received in theexamples discussed above. For example, after providing at least some ofthe monitored state information to the one or more policy managementservers, the computing device and/or the MDM agent running on thecomputing device may receive one or more commands from the one or morepolicy management servers based on the state information that wasprovided (e.g., as the one or more policy management servers may receivethe provided state information, analyze the provided state informationin view of one or more mobile device management policies, generate oneor more commands based on the provided state information and/or based onthe one or more policies, and return the generated commands to thecomputing device and/or the MDM agent running on the computing device).

In step 810, state information associated with a mobile computing devicemay be monitored by the mobile device management agent. For example, instep 810, the mobile computing device and/or the MDM agent running onthe mobile computing device may collect, maintain, evaluate, analyze,and/or otherwise monitor various types of state information, similar tohow such state information may be monitored by the MDM agent and/or thecomputing device in the examples discussed above (e.g., with respect tostep 610 of FIG. 6). For instance, monitoring the state information may,in some embodiments, include identifying one or more applications thatare present on the mobile computing device (e.g., as in the examplesabove). Additionally or alternatively, monitoring the state informationmay, in some embodiments, include identifying one or more networkconnections that are used by the mobile computing device. Additionallyor alternatively, monitoring the state information may, in someembodiments, include determining current location information for themobile computing device.

In step 815, a current usage mode of the mobile computing device may beevaluated. For example, in step 815, in evaluating the current usagemode of the mobile computing device, the computing device and/or the MDMagent running on the computing device may determine, based on themonitored state information (e.g., the state information being monitoredin step 810), whether the computing device is being used in anenterprise mode. For instance, it may be determined that the computingdevice is being used in an enterprise mode if the computing deviceand/or one or more applications running on the computing device arecurrently accessing, editing, storing, and/or otherwise interacting withenterprise data (e.g., information obtained from one or more enterpriseresources), rather than merely interacting with unmanaged data (e.g.,non-enterprise data, such as personal data of the user, like personalcontacts, notes, etc.).

In some embodiments, in response to determining that the mobilecomputing device is not being used in an enterprise mode (e.g., inevaluating the current usage mode of the device in step 815), thecomputing device and/or the MDM agent running on the computing devicemay determine to selectively disable at least one mode of a multi-modeapplication (e.g., a dual-mode application, as discussed below). Forexample, responsive to determining that the computing device is notbeing used in an enterprise mode, the computing device and/or the MDMagent running on the computing device may determine to selectivelydisable a managed mode of a dual-mode application (e.g., while allowingthe application to run and/or continue to run in an unmanaged mode).

In some embodiments, in evaluating a current usage mode of the mobilecomputing device (e.g., in step 815), the computing device and/or themobile device management agent running on the computing device mayprovide at least some of the monitored state information to one or morepolicy management servers. The one or more policy management serversmay, for instance, be configured to receive such state information,analyze the state information (e.g., in view of one or more mobiledevice management policies), and provide one or more commands back tothe mobile device management agent and/or the computing device based onthe analysis of the state information. Additionally or alternatively,after providing at least some of the monitored state information to theone or more policy management servers, the computing device and/or themobile device management agent running on the computing device mayreceive management information from the one or more policy managementservers. In some instances, the received management information mayinclude one or more commands, which in turn may include informationindicating whether the computing device and/or the mobile devicemanagement agent running on the computing device should disable one ormore modes of a multi-mode application that is being executed on thedevice or that is configured to be executed on the device, as discussedbelow. Additionally or alternatively, the management informationreceived from the one or more policy management servers may include oneor more policy updates (which, e.g., may specify one or more new and/orupdated policies to be used in selectively disabling one or more modesof the multi-mode application and/or may be otherwise applied to themulti-mode application).

In step 820, one or more modes of a multi-mode application may beselectively disabled based on the state information. For example, instep 820, the computing device and/or the MDM agent running on thecomputing device may selectively disable one or more modes of amulti-mode application. In some instances, the computing device and/orthe MDM agent running on the computing device may selectively disableone or more modes of the application and/or cause one or more modes ofthe application to be disabled based on the evaluation and/ordetermination(s) made in step 815. Additionally or alternatively, one ormore mobile device management policies may define certain circumstancesin which a certain mode of the application is to be disabled, and thecomputing device and/or the MDM agent may detect these circumstancesbased on the state information and subsequently disable the applicationmode in accordance with the policies. In some instances in which atleast some of the monitored state information is provided to one or morepolicy management servers, the computing device and/or the MDM agentrunning on the computing device may, in step 820, selectively disableone or more modes of a multi-mode application based managementinformation received from the one or more policy management servers(which may, e.g., be generated by the one or more policy managementservers based on an analysis of the provided state information). Inaddition, the management information may, for instance, include one ormore commands specifying that one or more specific modes of themulti-mode application should be disabled. Additionally oralternatively, the management information may, for instance, include oneor more policy updates.

In one or more arrangements, the multi-mode application may be adual-mode application. For example, the multi-mode application may be adual-mode application having a managed mode that is configured toprovide access to enterprise data, as well as an unmanaged mode that isconfigured to limit access to non-enterprise data (e.g., and insteadprovide access only to personal, unmanaged data). In some instances, thecomputing device and/or the MDM agent running the computing device mayselectively disable the managed mode (e.g., in step 820) based on thestate information being monitored (e.g., in step 815) by the computingdevice and/or by the MDM agent running on the computing device. Once themanaged mode of the dual-mode application has been disabled, theapplication may be able to run and/or continue running only in theunmanaged mode (e.g., until the managed mode is enabled by the computingdevice and/or by the MDM agent running on the computing device).

Additionally or alternatively, the multi-mode application may be adual-mode application having a first mode that is configured to providea first level of access to enterprise data and a second mode that isconfigured to provide a second level of access to enterprise data, wherethe second level of access is higher than the first level of access. Forinstance, the multi-mode application may be a dual-mode application thathas a “secure” mode and a “super secure” mode, which may be selectivelydisabled (e.g., in step 820) based on the state information beingmonitored by the computing device and/or the MDM agent running on thecomputing device.

FIG. 9 depicts a flowchart that illustrates a method of enforcing one ormore mobile device management policies on one or more applications inaccordance with one or more illustrative aspects discussed herein. Inone or more embodiments, the method illustrated in FIG. 9 and/or one ormore steps thereof may be performed by a computing device (e.g., genericcomputing device 201). In other embodiments, the method illustrated inFIG. 9 and/or one or more steps thereof may be embodied incomputer-executable instructions that are stored in a computer-readablemedium, such as a non-transitory computer-readable memory.

As seen in FIG. 9, the method may begin at step 905 in which a mobiledevice management (MDM) agent may be initialized. For example, in step905, a computing device (e.g., a mobile computing device, such as alaptop computer, tablet computer, smart phone, or other type of mobiledevice) may initialize an MDM agent, similar to how such an MDM agentmay be initialized in step 505 (discussed above). In one or morearrangements, after an MDM agent is initialized on a computing device(e.g., in step 905), the computing device and/or the MDM agent runningon the computing device may provide information to, and/or may receiveone or more commands from, one or more policy management servers (whichmay, e.g., impact the state of the device), similar to how suchinformation may be provided and how such commands may be received in theexamples discussed above. For example, after providing at least some ofthe monitored state information to the one or more policy managementservers, the computing device and/or the MDM agent running on thecomputing device may receive one or more commands from the one or morepolicy management servers based on the state information that wasprovided (e.g., as the one or more policy management servers may receivethe provided state information, analyze the provided state informationin view of one or more mobile device management policies, generate oneor more commands based on the provided state information and/or based onthe one or more policies, and return the generated commands to thecomputing device and/or the MDM agent running on the computing device).

In step 910, state information associated with a mobile computing devicemay be monitored by the mobile device management agent. For example, instep 910, the mobile computing device and/or the MDM agent running onthe mobile computing device may collect, maintain, evaluate, analyze,and/or otherwise monitor various types of state information, similar tohow such state information may be monitored by the MDM agent and/or thecomputing device in the examples discussed above (e.g., with respect tostep 610 of FIG. 6). For instance, monitoring the state information may,in some embodiments, include identifying one or more applications thatare present on the mobile computing device (e.g., as in the examplesabove). Additionally or alternatively, monitoring the state informationmay, in some embodiments, include identifying one or more networkconnections that are used by the mobile computing device. Additionallyor alternatively, monitoring the state information may, in someembodiments, include determining current location information for themobile computing device. In one or more arrangements, monitoring thestate information may include providing at least some of the monitoredstate information to one or more policy management servers. For example,in monitoring the state information (e.g., in step 910), the mobilecomputing device and/or the MDM agent running on the mobile computingdevice may send at least some of the monitored state information to oneor more policy management servers (which may, e.g., be configured toanalyze such state information, as discussed above).

In step 915, one or more policies may be enforced on at least oneapplication on the mobile computing device based on the monitored stateinformation. For example, in step 915, the computing device and/or theMDM agent running on the computing device may enforce one or morepolicies on an application on the device based on the state informationbeing monitored (e.g., in step 910). The one or more mobile devicemanagement policies may define certain circumstances in which certainfunctionalities of certain applications are to be enabled, disabled,and/or modified, and the computing device and/or the MDM agent maydetect these circumstances based on the state information andsubsequently enable, disable, and/or modify these functionalities inaccordance with the policies.

In one or more arrangements, enforcing the one or more policies on theat least one application may include receiving management informationfrom the one or more policy management servers and executing at leastone command included in the management information. For example, inenforcing the one or more policies on the at least one application(e.g., in step 915), the mobile computing device and/or the MDM agentrunning on the mobile computing device may receive managementinformation that includes one or more commands from the one or morepolicy management servers (which may, e.g., have been generated by theone or more policy management servers based on the device stateinformation provided to and received by them in step 910). Additionallyor alternatively, after receiving such commands from the one or morepolicy management servers, the mobile computing device and/or the MDMagent running on the mobile computing device may execute one or more ofthe received commands in order to enforce one or more policies and/orotherwise impose one or more restrictions on the application(s) beingsubjected to the policies. For example, the one or more commandsreceived from the one or more policy management servers may specify thatspecific functions of the application (e.g., cut-and-paste functions,save functions, etc.) should be selectively disabled (e.g., in view ofthe current circumstances reflected by the device state information). Insome instances, the management information may additionally oralternatively include one or more policy updates, which may, forinstance, include new and/or updated policies to be applied to the atleast one application.

In some instances, the application (e.g., the application on which thepolicies are enforced in step 915) may be a wrapped application (whichmay, e.g., be wrapped using an application management framework, such asapplication management framework 414 discussed above). In enforcingpolicies on such a wrapped application, the MDM agent running on thecomputing device may communicate with the application wrapper and/or theapplication management framework to selectively enable and/or disablecertain functions of the application and/or make configuration changesto the application and/or the application wrapper.

In some embodiments, enforcing the one or more policies may includedisabling the at least one application based on the monitored stateinformation. For example, in step 915, the computing device and/or theMDM agent running on the computing device may selectively disable one ormore functions of the application (e.g., a save data function, a remoteaccess function, etc.) based on the state information (e.g., monitoredin step 910).

In some embodiments, enforcing the one or more policies may includereconfiguring the at least one application. For example, in step 915,the computing device and/or the MDM agent running on the computingdevice may reconfigure the application based on the state information(e.g., by connecting the application to a different backend or cloud,for instance, based on status and/or nature of the device's currentnetwork connection).

FIG. 10 depicts a flowchart that illustrates a method of controlling asecure document container based on device state information inaccordance with one or more illustrative aspects discussed herein. Inone or more embodiments, the method illustrated in FIG. 10 and/or one ormore steps thereof may be performed by a computing device (e.g., genericcomputing device 201). In other embodiments, the method illustrated inFIG. 10 and/or one or more steps thereof may be embodied incomputer-executable instructions that are stored in a computer-readablemedium, such as a non-transitory computer-readable memory.

As seen in FIG. 10, the method may begin at step 1005, in which a mobiledevice management (MDM) agent may be initialized. For example, in step1005, a computing device (e.g., a mobile computing device, such as alaptop computer, tablet computer, smart phone, or other type of mobiledevice) may initialize an MDM agent, similar to how such an MDM agentmay be initialized in step 505 (discussed above). In one or morearrangements, after an MDM agent is initialized on a computing device(e.g., in step 1005), the computing device and/or the MDM agent runningon the computing device may provide information to, and/or may receiveone or more commands from, one or more policy management servers (whichmay, e.g., impact the state of the device), similar to how suchinformation may be provided and how such commands may be received in theexamples discussed above. For example, after providing at least some ofthe monitored state information to the one or more policy managementservers, the computing device and/or the MDM agent running on thecomputing device may receive one or more commands from the one or morepolicy management servers based on the state information that wasprovided (e.g., as the one or more policy management servers may receivethe provided state information, analyze the provided state informationin view of one or more mobile device management policies, generate oneor more commands based on the provided state information and/or based onthe one or more policies, and return the generated commands to thecomputing device and/or the MDM agent running on the computing device).

In step 1010, state information associated with a mobile computingdevice may be monitored by the mobile device management agent. Forexample, in step 1010, the mobile computing device and/or the MDM agentrunning on the mobile computing device may collect, maintain, evaluate,analyze, and/or otherwise monitor various types of state information,similar to how such state information may be monitored by the MDM agentand/or the computing device in the examples discussed above (e.g., withrespect to step 610 of FIG. 6). For instance, monitoring the stateinformation may, in some embodiments, include identifying one or moreapplications that are present on the mobile computing device (e.g., asin the examples above). Additionally or alternatively, monitoring thestate information may, in some embodiments, include identifying one ormore network connections that are used by the mobile computing device.Additionally or alternatively, monitoring the state information may, insome embodiments, include determining current location information forthe mobile computing device. In one or more arrangements, monitoring thestate information may include providing at least some of the monitoredstate information to one or more policy management servers. For example,in monitoring the state information (e.g., in step 1010), the mobilecomputing device and/or the MDM agent running on the mobile computingdevice may send at least some of the monitored state information to oneor more policy management servers (which may, e.g., be configured toanalyze such state information, as discussed above).

In step 1015, a secure document container may be controlled based on themonitored state information. For example, in step 1015, the computingdevice and/or the MDM agent running on the computing device may controla secure document container based on the state information beingmonitored (e.g., in step 1010). In one or more arrangements, the securedocument container may be a data repository on the computing device thatis configured to securely store enterprise data received by the mobilecomputing device from one or more enterprise resources. Additionally oralternatively, one or more mobile device management policies may definecertain circumstances in which access to the secure document containeris to be restricted, modified, and/or otherwise controlled, and thecomputing device and/or the MDM agent may detect these circumstancesbased on the state information and subsequently restrict, modify, and/orotherwise control access to the secure document container in accordancewith the policies. In other instances, other aspects of the securedocument container (e.g., other than access to the secure documentcontainer) may be similarly controlled by one or more mobile devicemanagement policies.

In one or more arrangements, controlling the secure document containermay include receiving management information from the one or more policymanagement servers and executing at least one command included in themanagement information. For example, in controlling the secure documentcontainer (e.g., in step 1015), the mobile computing device and/or theMDM agent running on the mobile computing device may receive managementinformation that includes one or more commands from the one or morepolicy management servers (which may, e.g., have been generated by theone or more policy management servers based on the device stateinformation provided to and received by them in step 1010). Additionallyor alternatively, after receiving such commands from the one or morepolicy management servers, the mobile computing device and/or the MDMagent running on the mobile computing device may execute one or more ofthe received commands in order to enforce one or more policies and/orotherwise impose one or more restrictions on the secure documentcontainer. For example, the one or more commands received from the oneor more policy management servers may specify that specific types ofdata can or cannot be accessed, stored, modified, and/or otherwiseinteracted with in the secure document container (e.g., in view of thecurrent circumstances reflected by the device state information). Insome instances, the management information may additionally oralternatively include one or more policy updates, which may, forinstance, include new and/or updated policies to be applied to the atleast one application.

In some embodiments, controlling the secure document container mayinclude controlling access to data stored in the secure documentcontainer based on the monitored state information. For example, incontrolling the secure document container, the computing device and/orthe MDM agent running on the computing device may control access to datastored in the secure document container based on the state informationbeing monitored (e.g., in step 1010).

In some embodiments, controlling the secure document container mayinclude selectively wiping data from the secure document container basedon the monitored state information. For example, in controlling thesecure document container, the computing device and/or the MDM agentrunning on the computing device may selectively wipe data from thesecure document container based on the state information being monitored(e.g., in step 1010). In some instances, selectively wiping data fromthe secure document container may include deleting managed and/orenterprise data from the secure document container, while leaving (andnot deleting) unmanaged and/or non-enterprise data in the securedocument container. In other instances, different types of data may bedeleted from the secure document container (e.g., based on one or moremobile device management policies) while other types of data are left inthe secure document container. In some instances, selectively wipingdata from the secure document container may be based on one or moremobile device management policies and/or based on a change in devicestate (which may, e.g., implicate various policies and/or invoke variouspolicy-based responses to the change in device state), as illustrated inthe examples discussed below.

In step 1020, enterprise data may be received. For example, in step1020, the computing device and/or the MDM agent running on the computingdevice may receive enterprise data (e.g., from one or more enterpriseresources, such as one or more enterprise databases and/or servers).

In step 1025, the received enterprise data may be stored in the securedocument container. For example, in step 1025, the computing deviceand/or the MDM agent running on the computing device may store theenterprise data (which may, e.g., have been received in step 1020) inthe secure document container.

In step 1030, it may be determined whether a change in device state hasbeen detected based on the monitored state information. For example, instep 1030, the computing device and/or the MDM agent running on thecomputing device may determine, based on the state information beingmonitored (e.g., in step 1030), whether a change in device state hasbeen detected. In determining whether a change in device state has beendetected, the computing device and/or the MDM agent running on thecomputing device may, for instance, determine whether a new applicationhas been installed on and/or otherwise added to the computing device,whether an application has been deleted from the computing device,whether the network connection being used by the computing device haschanged, and/or whether the location in which the computing device isbeing used has changed. While these examples illustrate the types ofchanges in state information that may be detected in some instances,additional and/or alternative types of changes in state information maysimilarly be detected in other instances.

If it is determined, in step 1030, that a change in device state has notbeen detected, then in step 1035, monitoring of the state informationmay continue. For example, in step 1035, the computing device and/or theMDM agent running on the computing device may continue monitoring stateinformation (e.g., similar to how state information may be monitored instep 1010. Subsequently, the method may end. Alternatively, the methodmay continue in a loop and return to step 1030 in which the computingdevice and/or the MDM agent running on the computing device mayperiodically reevaluate whether a change in device state has beendetected.

On the other hand, if it is determined in step 1030, that a change indevice state has been detected, then in step 1040, the computing deviceand/or the MDM agent running on the computing device may determine toselectively wipe data from the secure document container. In someinstances, the change in device state may be detected by one or morepolicy management servers (e.g., based on device state informationprovided to such servers by the MDM agent), and it may be determined, instep 1040, to selectively wipe data from the secure document containerbased on one or more commands received from the policy managementservers (which may, e.g., be configured to analyze the device stateinformation and subsequently generate such commands based on suchanalysis). Subsequently, in step 1045, the computing device and/or theMDM agent running on the computing device may wipe data from securedocument container and/or cause data to be wiped from the securedocument container. In some instances, the computing device and/or theMDM agent may wipe enterprise data from the secure document container(e.g., the enterprise data received in step 1020 and stored in thesecure document container in step 1025) while leaving other data (e.g.,not deleting the other data) in the secure document container. In otherinstances, the computing device and/or the MDM agent may wipe data fromthe secure document container that was received and/or stored during acertain time period (e.g., within the last four hours) while leavingother data (e.g., data that was received and/or stored during adifferent time period). In still other instances, the computing deviceand/or the MDM agent may wipe data from the secure document containerthat was received and/or stored in connection with a certain application(e.g., a web browser) while leaving other data (which may, e.g., beassociated with other applications, such as word processingapplications, spreadsheet applications, etc.).

In one or more arrangements, the data that is wiped (e.g., in step 1045)may be deleted (e.g., by the computing device and/or by the MDM agentrunning on the computing device) in accordance with one or more mobiledevice management policies. For example, one or more mobile devicemanagement policies may define certain circumstances in which certaintype(s) of data are to be selectively wiped from the secure documentcontainer, and the computing device and/or the MDM agent running on thecomputing device may detect these circumstances based on the stateinformation and subsequently wipe data from the secure documentcontainer in accordance with the policies.

FIG. 11 depicts a flowchart that illustrates a method of dynamicallymodifying a mobile device management policy enforcement scheme based ondevice state information in accordance with one or more illustrativeaspects discussed herein. In one or more embodiments, the methodillustrated in FIG. 11 and/or one or more steps thereof may be performedby a computing device (e.g., generic computing device 201). In otherembodiments, the method illustrated in FIG. 11 and/or one or more stepsthereof may be embodied in computer-executable instructions that arestored in a computer-readable medium, such as a non-transitorycomputer-readable memory.

As seen in FIG. 11, the method may begin at step 1105, in which a mobiledevice management (MDM) agent may be initialized. For example, in step1105, a computing device (e.g., a mobile computing device, such as alaptop computer, tablet computer, smart phone, or other type of mobiledevice) may initialize an MDM agent, similar to how such an MDM agentmay be initialized in step 505 (discussed above). In one or morearrangements, after an MDM agent is initialized on a computing device(e.g., in step 1105), the computing device and/or the MDM agent runningon the computing device may provide information to, and/or may receiveone or more commands from, one or more policy management servers (whichmay, e.g., impact the state of the device), similar to how suchinformation may be provided and how such commands may be received in theexamples discussed above. For example, after providing at least some ofthe monitored state information to the one or more policy managementservers, the computing device and/or the MDM agent running on thecomputing device may receive one or more commands from the one or morepolicy management servers based on the state information that wasprovided (e.g., as the one or more policy management servers may receivethe provided state information, analyze the provided state informationin view of one or more mobile device management policies, generate oneor more commands based on the provided state information and/or based onthe one or more policies, and return the generated commands to thecomputing device and/or the MDM agent running on the computing device).

In step 1110, state information associated with a mobile computingdevice may be monitored by the mobile device management agent. Forexample, in step 1110, the mobile computing device and/or the MDM agentrunning on the mobile computing device may collect, maintain, evaluate,analyze, and/or otherwise monitor various types of state information,similar to how such state information may be monitored by the MDM agentand/or the computing device in the examples discussed above (e.g., withrespect to step 610 of FIG. 6). For instance, monitoring the stateinformation may, in some embodiments, include identifying one or moreapplications that are present on the mobile computing device (e.g., asin the examples above). Additionally or alternatively, monitoring thestate information may, in some embodiments, include identifying one ormore network connections that are used by the mobile computing device.Additionally or alternatively, monitoring the state information may, insome embodiments, include determining current location information forthe mobile computing device.

In step 1115, a mobile device management policy enforcement scheme maybe dynamically modified based on the monitored state information. Forexample, in step 1115, the computing device and/or the MDM agent runningon the computing device may dynamically modify a mobile devicemanagement policy enforcement scheme based on the state information(e.g., monitored in step 1110). In one or more arrangements, thecomputing device and/or the MDM agent running on the computing devicemay implement and/or otherwise have a mobile device management policyenforcement scheme that defines what policies are active (e.g., mobiledevice management policies that are defined and currently should beenforced), what policies are inactive (e.g., mobile device managementpolicies that are defined but currently should not be enforced), and/orother factors and information related to the definition and/orenforcement of mobile device management policies. By dynamicallymodifying the mobile device management policy enforcement scheme basedon the state information, the computing device and/or the MDM agentrunning on the computing device may dynamically vary the policies thatare being enforced and/or other aspects of the policy enforcement schemebased on current device-level considerations (e.g., as reflected in thestate information being monitored by the computing device and/or by theMDM agent).

In some embodiments, dynamically modifying the mobile device managementpolicy enforcement scheme may include activating one or more inactivepolicies based on the monitored state information. For example, indynamically modifying the mobile device management policy enforcementscheme, the computing device and/or the MDM agent running on thecomputing device may activate one or more inactive policies based on thestate information being monitored by the computing device and/or by theMDM agent. In activating one or more inactive policies, the computingdevice and/or the MDM agent may set and/or modify one or more flagscorresponding to the inactive policies to initiate enforcement of theinactive policies and/or may begin enforcing these policies. In thisway, a change in state information (which may, e.g., correspond to achange in the applications that are present on the device, a change inthe network connection(s) being used by the device, and/or a change inlocation of the device) may result in a change in the policy enforcementscheme (which may, e.g., include the activation of one or more inactivepolicies).

In some embodiments, dynamically modifying the mobile device managementpolicy enforcement scheme may include deactivating one or more activepolicies based on the monitored state information. For example, indynamically modifying the mobile device management policy enforcementscheme, the computing device and/or the MDM agent running on thecomputing device may deactivate one or more active policies based on thestate information being monitored by the computing device and/or by theMDM agent. In deactivating one or more active policies, the computingdevice and/or the MDM agent may set and/or modify one or more flagscorresponding to active policies to cease enforcement of the activepolicies and/or may stop enforcing these policies. In this way, a changein state information (which may, e.g., correspond to a change in theapplications that are present on the device, a change in the networkconnection(s) being used by the device, and/or a change in the locationof the device) may result in a change in the policy enforcement scheme(which may, e.g., include the deactivation of one or more activepolicies).

In some embodiments, dynamically modifying the mobile device managementpolicy enforcement scheme may include updating one or more parametersassociated with at least one active policy based on the monitored stateinformation. For example, in dynamically modifying the mobile devicemanagement policy enforcement scheme, the computing device and/or theMDM agent running on the computing device may update one or moreparameters of an active policy based on the state information beingmonitored by the computing device and/or by the MDM agent. In updatingone or more parameters of an active policy, the computing device and/orthe MDM agent may set and/or modify one or more values and/or othersettings that are used by the policy (e.g., in defining circumstances inwhich the policy is applicable and/or invoked, in defining responseactions and/or modes in different circumstances, etc.) and/or may beginand/or continue enforcing the updated policy. In this way, a change instate information (which may, e.g., correspond to a change in theapplications that are present on the device, a change in the networkconnection(s) being used by the device, and/or a change in the locationof the device) may result in a change in the policy enforcement scheme(which may, e.g., include updating the parameters of a policy).

FIG. 12 depicts a flowchart that illustrates a method of enforcingmobile device management policies that are received from an applicationstore in accordance with one or more illustrative aspects discussedherein. In one or more embodiments, the method illustrated in FIG. 12and/or one or more steps thereof may be performed by a computing device(e.g., generic computing device 201). In other embodiments, the methodillustrated in FIG. 12 and/or one or more steps thereof may be embodiedin computer-executable instructions that are stored in acomputer-readable medium, such as a non-transitory computer-readablememory.

As seen in FIG. 12, the method may begin at step 1205, in which a mobiledevice management (MDM) agent may be initialized. For example, in step1205, a computing device (e.g., a mobile computing device, such as alaptop computer, tablet computer, smart phone, or other type of mobiledevice) may initialize an MDM agent, similar to how such an MDM agentmay be initialized in step 505 (discussed above). In one or morearrangements, after an MDM agent is initialized on a computing device(e.g., in step 1205), the computing device and/or the MDM agent runningon the computing device may provide information to, and/or may receiveone or more commands from, one or more policy management servers (whichmay, e.g., impact the state of the device), similar to how suchinformation may be provided and how such commands may be received in theexamples discussed above. For example, after providing at least some ofthe monitored state information to the one or more policy managementservers, the computing device and/or the MDM agent running on thecomputing device may receive one or more commands from the one or morepolicy management servers based on the state information that wasprovided (e.g., as the one or more policy management servers may receivethe provided state information, analyze the provided state informationin view of one or more mobile device management policies, generate oneor more commands based on the provided state information and/or based onthe one or more policies, and return the generated commands to thecomputing device and/or the MDM agent running on the computing device).

In step 1210, at least one mobile device management policy may bereceived from an application store. For example, in step 1210, themobile computing device and/or the MDM agent running on the computingdevice may receive a mobile device management policy from an applicationstore. In some instances, the application store (e.g., from which thepolicy is received) may be an enterprise application store that isconfigured to provide enterprise applications to one or more mobilecomputing devices. In addition to being configured to provide enterpriseapplications to various devices, the enterprise application store alsomay be configured to provide one or more mobile device managementpolicies and/or policy updates to various devices.

In step 1215, state information associated with the mobile computingdevice may be monitored via the mobile device management agent. Forexample, in step 1215, the mobile computing device and/or the MDM agentrunning on the mobile computing device may collect, maintain, evaluate,analyze, and/or otherwise monitor various types of state information,similar to how such state information may be monitored by the MDM agentand/or the computing device in the examples discussed above (e.g., withrespect to step 610 of FIG. 6). For instance, monitoring the stateinformation may, in some embodiments, include identifying one or moreapplications that are present on the mobile computing device (e.g., asin the examples above). Additionally or alternatively, monitoring thestate information may, in some embodiments, include identifying one ormore network connections that are used by the mobile computing device.Additionally or alternatively, monitoring the state information may, insome embodiments, include determining current location information forthe mobile computing device.

In step 1220, the at least one mobile device management policy may beenforced based on the monitored state information. For example, in step1220, the mobile computing device and/or the MDM agent running on thecomputing device may enforce the policy that was received from theapplication store (e.g., in step 1210) based on the state informationbeing monitored in step 1215. The mobile device management policyreceived from the application store (which may, e.g., be an enterpriseapplication store) may, for instance, define one or more circumstancesin which certain functions and/or applications are to be controlled, andthe computing device and/or the MDM agent may detect these circumstancesbased on the state information and subsequently control these functionsand/or applications in enforcing the policy.

In some embodiments, enforcing the at least one mobile device managementpolicy may include selectively disabling one or more functions of themobile computing device based on the monitored state information. Forexample, in enforcing the mobile device management policy received fromthe application store, the computing device and/or the MDM agent runningon the computing device may selectively disable one or more functions ofthe computing device based on the monitored state information. Forinstance, the computing device and/or the MDM agent running on thecomputing device may selectively disable a camera function of thecomputing device, a local wireless sharing function of the computingdevice, and/or other functions of the computing device in accordancebased on current circumstances (e.g., as reflected by the stateinformation) and the policy being applied and enforced.

In some embodiments, enforcing the at least one mobile device managementpolicy may include selectively disabling one or more applications basedon the monitored state information. For example, in enforcing the mobiledevice management policy received from the application store, thecomputing device and/or the MDM agent running on the computing devicemay selectively disable one or more applications on the computing devicebased on the monitored state information. In disabling an application,the computing device and/or the MDM agent may, for instance, prevent theapplication from being opened or otherwise executed and may close theapplication if it is currently running. In some instances, the one ormore applications that are disabled by the computing device and/or theMDM agent may include enterprise applications that were downloadedand/or otherwise obtained from the enterprise application store (e.g.,from which the policy was received).

FIG. 13 depicts a flowchart that illustrates a method of enforcingmobile device management policies based on a single sign-on credentialin accordance with one or more illustrative aspects discussed herein. Inone or more embodiments, the method illustrated in FIG. 13 and/or one ormore steps thereof may be performed by a computing device (e.g., genericcomputing device 201). In other embodiments, the method illustrated inFIG. 13 and/or one or more steps thereof may be embodied incomputer-executable instructions that are stored in a computer-readablemedium, such as a non-transitory computer-readable memory

As seen in FIG. 13, the method may begin at step 1305, in which a mobiledevice management (MDM) agent may be initialized. For example, in step1305, a computing device (e.g., a mobile computing device, such as alaptop computer, tablet computer, smart phone, or other type of mobiledevice) may initialize an MDM agent, similar to how such an MDM agentmay be initialized in step 505 (discussed above). In one or morearrangements, after an MDM agent is initialized on a computing device(e.g., in step 1305), the computing device and/or the MDM agent runningon the computing device may provide information to, and/or may receiveone or more commands from, one or more policy management servers (whichmay, e.g., impact the state of the device), similar to how suchinformation may be provided and how such commands may be received in theexamples discussed above. For example, after providing at least some ofthe monitored state information to the one or more policy managementservers, the computing device and/or the MDM agent running on thecomputing device may receive one or more commands from the one or morepolicy management servers based on the state information that wasprovided (e.g., as the one or more policy management servers may receivethe provided state information, analyze the provided state informationin view of one or more mobile device management policies, generate oneor more commands based on the provided state information and/or based onthe one or more policies, and return the generated commands to thecomputing device and/or the MDM agent running on the computing device).

In step 1310, a single sign-on (SSO) credential that is associated withat least one user account may be received. For example, in step 1310,the computing device and/or the MDM agent running on the computingdevice may receive a single sign-on credential, and the single sign-oncredential may be linked to and/or otherwise associated with aparticular user of the computing device and/or a particular user account(which may, e.g., be utilized in accessing and/or using the computingdevice and/or other resources, such as enterprise resources and/or othernetwork resources). In one or more arrangements, the single sign-oncredential may be an authentication credential that is configured to beused in accessing at least two different enterprise resources (e.g.,various enterprise websites, databases, servers, other resources, etc.).Additionally or alternatively, the single sign-on credential may bereceived when the user is logging into a user account on the computingdevice, logging into an application on the computing device, logginginto a website being accessed via the computing device, interacting withan authentication prompt presented on the computing device, and/or inother ways.

In step 1315, state information associated with the mobile computingdevice may be monitored via the mobile device management agent. Forexample, in step 1315, the mobile computing device and/or the MDM agentrunning on the mobile computing device may collect, maintain, evaluate,analyze, and/or otherwise monitor various types of state information,similar to how such state information may be monitored by the MDM agentand/or the computing device in the examples discussed above (e.g., withrespect to step 610 of FIG. 6). For instance, monitoring the stateinformation may, in some embodiments, include identifying one or moreapplications that are present on the mobile computing device (e.g., asin the examples above). Additionally or alternatively, monitoring thestate information may, in some embodiments, include identifying one ormore network connections that are used by the mobile computing device.Additionally or alternatively, monitoring the state information may, insome embodiments, include determining current location information forthe mobile computing device. In one or more arrangements, monitoring thestate information may include providing at least some of the monitoredstate information to one or more policy management servers. For example,in monitoring the state information (e.g., in step 1315), the mobilecomputing device and/or the MDM agent running on the mobile computingdevice may send at least some of the monitored state information to oneor more policy management servers (which may, e.g., be configured toanalyze such state information, as discussed above). In some instances,in addition to sending at least some of the monitored state informationto the one or more policy management servers, the computing deviceand/or the MDM agent running on the computing device also may send theSSO credential and/or user information derived from the SSO credentialto the one or more policy management servers.

In step 1320, at least one mobile device management policy may beenforced based on the monitored state information and the SSOcredential. For example, in step 1320, the mobile computing deviceand/or the MDM agent running on the mobile computing device may enforceone or more mobile device management policies based on the SSOcredential received in step 1310 and on the state information monitoredin step 1315. In particular, some mobile device management policies may,for instance, define certain circumstances in which certain functionsand/or applications are to be controlled for certain users and/or useraccounts, and the computing device and/or the MDM agent may detect thesecircumstances based on the state information and subsequently controlthese functions and/or applications for the relevant users and/or useraccounts based on the monitored state information and based on identityinformation for the current user and/or current user account (which may,e.g., be determined based on the SSO credential). In this way, differentmobile device management policies and/or different sets of mobile devicemanagement policies may be selected and/or enforced for different usersand/or user accounts, and the SSO credential (e.g., received in step1310) may be used in determining the appropriate policies and/or sets ofpolicies to be applied and/or enforced.

In one or more arrangements, enforcing the at least one mobile devicemanagement policy may include receiving management information from theone or more policy management servers and executing at least one commandincluded in the management information. For example, in enforcing the atleast one mobile device management policy (e.g., in step 1320), themobile computing device and/or the MDM agent running on the mobilecomputing device may receive management information that includes one ormore commands from the one or more policy management servers (which may,e.g., have been generated by the one or more policy management serversbased on the device state information provided to and received by themin step 1315). Additionally or alternatively, after receiving suchcommands from the one or more policy management servers, the mobilecomputing device and/or the MDM agent running on the mobile computingdevice may execute one or more of the received commands in order toenforce the at least one mobile device management policy. In instancesin which the computing device and/or the MDM agent running on thecomputing device provided the SSO credential and/or user informationderived from the SSO credential to the one or more policy managementservers (e.g., in addition to providing the device state information tosuch servers), the one or more policy management servers may generatethe one or more commands not only based on the device state informationand one or more policies, but also based on the SSO credential and/oruser information derived from the SSO credential. For example, one ormore of the commands may be generated by the one or more policymanagement servers specifically for the particular user, as illustratedin some of the examples discussed below. In some instances, themanagement information may additionally or alternatively include one ormore policy updates, which may, for instance, include new and/or updatedpolicies to be applied to the at least one application.

In some embodiments, enforcing the at least one mobile device managementpolicy may include determining, based on the SSO credential, that afirst set of mobile device management policies is applicable, andsubsequently enforcing the first set of mobile device managementpolicies based on the monitored state information. For example, inenforcing one or more policies, the computing device and/or the MDMagent running on the computing device may initially determine that a setof policies is applicable based on the identity of the current userand/or user account, as determined based on the previously receivedsingle sign-on credential. Subsequently, the computing device and/or theMDM agent may enforce the applicable policies based on the monitoredstate information, similar to how such policies may be enforced in theexamples discussed above. For example, a single user may have multipleuser accounts that are linked to one single sign-on credential. Forinstance, a physician who practices at multiple hospitals and officesmay have a user account for each hospital and office where shepractices, and all of these different accounts may be linked to onesingle sign-on credential that corresponds to and can be used by thephysician. In accordance with one or more aspects of the disclosure, thephysician in this example may use the same single sign-on credential tolog in to computer systems at the different hospitals and offices whereshe practices, and depending on the current location of the device andthe SSO credential that is provided during user authentication, one ormore different policies and/or different sets of policies may be appliedto various applications, processes, and/or other functions of thephysician's computing device (which may, e.g., thereby offer thephysician access to different resources for the hospital at which she iscurrently practicing).

In some embodiments, enforcing the at least one mobile device managementpolicy may include obtaining, based on the SSO credential, a first setof mobile device management policies, and enforcing the first set ofmobile device management policies based on the monitored stateinformation. For example, in enforcing one or more policies, thecomputing device and/or the MDM agent running on the computing devicemay initially obtain a set of mobile device management policies based onthe single sign-on credential itself and/or based on the identity of thecurrent user and/or user account, as determined based on the singlesign-on credential. In some instances, the set of mobile devicemanagement policies may, for instance, be obtained from a policy server,an application store (e.g., an enterprise application store), and/or oneor more other sources. Subsequently, the computing device and/or the MDMagent running on the computing device may enforce the obtained policiesbased on the monitored state information, similar to how such policiesmay be enforced in the examples discussed above.

In some embodiments, enforcing the at least one mobile device managementpolicy may include selectively disabling at least one of an applicationand a function of the mobile computing device. For example, in enforcingone or more policies, the computing device and/or the MDM agent runningon the computing device may selectively disable one or more applicationsand/or one or more functions of the computing device based on the stateinformation being monitored by the computing device and/or the MDMagent, similar to how such application(s) and/or function(s) may beselectively disabled and/or otherwise controlled in the examplesdiscussed above.

FIG. 14 depicts a flowchart that illustrates another method of applyingone or more mobile device management policies to a device cloud inaccordance with one or more illustrative aspects discussed herein. Inone or more embodiments, the method illustrated in FIG. 14 and/or one ormore steps thereof may be performed by a computing device (e.g., genericcomputing device 201). In other embodiments, the method illustrated inFIG. 14 and/or one or more steps thereof may be embodied incomputer-executable instructions that are stored in a computer-readablemedium, such as a non-transitory computer-readable memory.

As seen in FIG. 14, the method may begin at step 1405 in which a mobiledevice management (MDM) agent may be initialized on a first computingdevice. For example, in step 1405, a computing device (e.g., a mobilecomputing device, such as a laptop computer, tablet computer, smartphone, or other type of mobile device) may initialize an MDM agent,similar to how such an MDM agent may be initialized in step 505(discussed above). In one or more arrangements, after an MDM agent isinitialized on a computing device (e.g., in step 1405), the computingdevice and/or the MDM agent running on the computing device may provideinformation to, and/or may receive one or more commands from, one ormore policy management servers (which may, e.g., impact the state of thedevice), similar to how such information may be provided and how suchcommands may be received in the examples discussed above. For example,after providing at least some of the monitored state information to theone or more policy management servers, the computing device and/or theMDM agent running on the computing device may receive one or morecommands from the one or more policy management servers based on thestate information that was provided (e.g., as the one or more policymanagement servers may receive the provided state information, analyzethe provided state information in view of one or more mobile devicemanagement policies, generate one or more commands based on the providedstate information and/or based on the one or more policies, and returnthe generated commands to the computing device and/or the MDM agentrunning on the computing device).

In step 1410, a request may be received by the first computing device toinitiate a device cloud with a second computing device. In someinstances, the first computing device may, for example, receive arequest from a user of the first computing device to initiate a devicecloud with the second computing device. In other instances, the firstcomputing device may receive a request from the second computing deviceitself to initiate a device cloud with the second computing device. Instill other instances, the first computing device may receive a requestfrom one or more other computing devices to initiate a device cloud withthe second computing device.

In step 1415, the first computing device may determine, based on one ormore policies and device state information, whether the device cloud canbe initiated with the second computing device. For example, the firstcomputing device may analyze and/or otherwise evaluate device stateinformation associated with the first computing device and/or devicestate information associated with the second computing device in view ofone or more mobile device management policies (which may, e.g., definecertain circumstances in which a device cloud may be initiated, wheresuch circumstances may be determined based on such device stateinformation). In addition, the device state information that is analyzedand/or otherwise evaluated may include any and/or all of the types ofdevice state information discussed herein, including information aboutapplications that are present on the computing device(s), networkconnections that are used by the computing device(s), and/or locationinformation associated with the computing device(s).

In some embodiments, determining whether the device cloud can beinitiated may include providing state information to one or more policymanagement servers and receiving management information from the one ormore policy management servers. For example, in determining whether thedevice cloud can be initiated (e.g., in step 1415), the first computingdevice and/or the MDM agent running on the computing device may providestate information (which may, e.g., include at least some of the stateinformation being monitored by the MDM agent loaded in step 1405) to oneor more policy management servers by connecting to, and subsequentlysending state information to, the one or more policy management servers.The one or more policy management servers may, for instance, be operatedand/or controlled by an enterprise that is distributing and/or otherwiseimplementing the one or more policies which are used in determiningwhether the device cloud can be initiated between the first computingdevice and the second computing device. Additionally or alternatively,the one or more policy management servers may be configured to analyzestate information (which, e.g., may be received from one or more MDMagents on one or more devices) and generate management information(which, e.g., may then be provided to, and subsequently received by, theone or more MDM agents on one or more devices). For example, afterproviding the state information to the one or more policy managementservers, the first computing device and/or the MDM agent running on thefirst computing device may receive management information from the oneor more policy management servers, and such management information maybe generated by the one or more policy management servers based on theprovided state information. In some instances, the managementinformation may include one or more commands to be executed by the firstcomputing device and/or by the MDM agent. For example, the managementinformation may include one or more commands that, when executed, causethe first computing device and/or the MDM agent to allow or prohibit thedevice cloud with the second computing device and/or impose one or moreother restrictions on the device cloud. In other instances, themanagement information may include one or more policy updates. Forexample, the management information may include one or more policyupdates that reflect one or more new and/or updated policies to beapplied to the first computing device and/or the device cloud.

In some embodiments, at least one policy of the one or more policies(which, e.g., are used in determining whether the device cloud can beinitiated) may be received from a policy management server. For example,before determining whether the device cloud can be initiated with thesecond computing device, the first computing device and/or the MDM agentrunning on the first computing device may receive one or more policiesfrom a policy management server, and the one or more received policiesmay, for instance, define specific circumstances in which a device cloudmay be permitted to be initiated and/or may be prohibited from beinginitiated with specific devices. After receiving such policies from sucha policy management server (which may, e.g., be operated and/orcontrolled by an enterprise that is implementing the policies), thefirst computing device and/or the MDM agent running on the firstcomputing device then may use at least one policy of the one or morereceived policies in determining whether the device cloud can beinitiated (e.g., by evaluating the device state information in view ofthe at least one policy).

In some embodiments, the first computing device may be configured toexecute a mobile device management agent that is configured to monitorstate information associated with the first computing device, anddetermining whether the device cloud can be initiated with the secondcomputing device may be based on at least some of the state informationmonitored by the mobile device management agent. For example, the firstcomputing device may be executing and/or may be configured to execute anMDM agent (which, e.g., may be initialized in step 1405, as discussedabove), and in determining whether the device cloud can be initiatedwith the second computing device, at least some of the state informationthat is monitored by the MDM agent may be evaluated. In some instances,such state information may, for example, be evaluated by the firstcomputing device itself in determining whether the device cloud can beinitiated. In other instances, the state information may be evaluated byone or more policy management servers, as discussed below.

In particular, in one or more arrangements, the mobile device managementagent may be configured to provide at least some of the monitored stateinformation to one or more policy management servers (which may, e.g.,be configured to remotely analyze the state information and/or provideone or more commands back to the first computing device based on theanalysis of the state information). In addition, the mobile devicemanagement agent may be further configured to receive one or morecommands from the one or more policy management servers based on thestate information provided to the one or more policy management servers.For example, after providing state information to the one or more policymanagement servers, the mobile device management agent running on thefirst computing device may receive one or more commands that includeinformation indicating whether the first computing device can initiate adevice cloud with the second computing device. In other words, the oneor more policy management servers may remotely evaluate the stateinformation provided by the first computing device, determine based onthis state information whether the first computing device can initiate adevice cloud with the second computing device in view of one or moremobile device management policies (which may, e.g., definecircumstances, as reflected by the state information, in which a devicecloud may be established with specific devices), and subsequentlyprovide information back to the first computing device that includes theresults of this determination (e.g., indicating whether the firstcomputing device can or cannot initiate a device cloud with the secondcomputing device).

If it is determined, in step 1415, that the device cloud cannot beinitiated with the second computing device, then in step 1420, the firstcomputing device may generate a notification message. For example, instep 1420, the first computing device may generate a notificationmessage indicating that the device cloud cannot be initiated and/or maycause the generated notification message to be displayed.

On the other hand, if it is determined, in step 1415, that the devicecloud can be initiated with the second computing device, then in step1425, the first computing device may establish a connection to thesecond computing device to initiate the device cloud. For example, instep 1425, the first computing device may establish a connection to thesecond computing device to initiate the device cloud, similar to howsuch a connection may be established to initiate a device cloud in theexamples discussed above (e.g., as discussed above with respect to step710).

In step 1430, the first computing device may configure the secondcomputing device based on the one or more policies and the device stateinformation. For example, in configuring the second computing devicebased on the one or more policies and the device state information, thefirst computing device may impose certain restrictions on the types ofinformation that can be shared with and/or accessed by the secondcomputing device, specific restrictions on the types of networkconnections that can be used by the second computing device during thedevice cloud, and/or other specific configuration settings. Depending onthe one or more policies and the current device state information,different restrictions and/or settings may be imposed by the firstcomputing device upon the second computing device.

In step 1435, the first computing device may enforce at least one policyof the one or more policies on the device cloud. For example, inenforcing at least one policy of the one or more policies on the devicecloud, the first computing device may allocate specific roles to itselfand/or to the second computing device in the device cloud (e.g., asdiscussed above).

In some embodiments, enforcing the at least one policy may includeallowing at least a portion of an application being executed on thefirst computing device to be executed on the second computing device.For example, in enforcing one or more policies, the first computingdevice may allow certain functions of and/or aspects of a specificapplication that is being executed on the first computing device to beexecuted on the second computing device. In an example where theapplication being executed on the first computing device is avideoconferencing application, enforcing the one or more policies maythus involve the first computing device allowing camera functions and/orother video capture functions of the application to be executed on thesecond computing device, while other functions of the application areexecuted on the first computing device.

In some embodiments, enforcing the at least one policy includesrestricting at least a portion of an application being executed on thefirst computing device to being executed on the second computing device.For example, in enforcing the one or more policies, the first computingdevice may prevent certain functions of and/or aspects of a specificapplication from being executed on the first computing device or thesecond computing device. In an example where the application beingexecuted on the first computing device is a confidential recordsmanagement application, enforcing the one or more policies may thusinvolve the first computing device allowing records viewing functions ofthe application to be executed on the second computing device, whileprevent records editing functions of the application from being executedon the second computing device (and/or, e.g., restricting such editingfunctions to being executed only on the first computing device).

As illustrated above, various aspects of the disclosure relate toproviding mobile device management functionalities. In otherembodiments, however, the concepts discussed herein can be implementedin any other type of computing device (e.g., a desktop computer, aserver, a console, a set-top box, etc.). Thus, although the subjectmatter has been described in language specific to structural featuresand/or methodological acts, it is to be understood that the subjectmatter defined in the appended claims is not necessarily limited to thespecific features or acts described above. Rather, the specific featuresand acts described above are described as some example implementationsof the following claims.

1. A method, comprising: loading, by a computing device, a managedbrowser; applying, by the computing device, one or more mobile devicemanagement policies to the managed browser, wherein applying the one ormore mobile device management policies to the managed browser includesproviding state information to one or more policy management servers andreceiving management information from the one or more policy managementservers; and enforcing one or more behavior limitations on the managedbrowser, wherein at least one policy of the one or more mobile devicemanagement policies is configured to control one or more functionalitiesof the computing device, wherein at least one policy of the one or moremobile device management policies is received from a policy managementserver, wherein the managed browser is configured to provide a managedmode in which one or more policies are enforced on the managed browserand an unmanaged mode in which the one or more policies are not enforcedon the managed browser, wherein the management information includes atleast one command generated, for execution on the computing device, bythe one or more policy management servers based on the one or moremobile device management policies and the state information provided tothe one or more policy management servers, and wherein the at least onecommand included in the management information is configured to causeone or more functions of the managed browser to be selectively disabled.2. The method of claim 1, wherein the management information furtherincludes a policy update.
 3. The method of claim 1, wherein applying theone or more mobile device management policies to the managed browserincludes: determining that a first set of policies of one or more setsof policies is applicable to a user of the managed browser based onidentity information associated with the user; and determining to applythe first set of policies to the managed browser.
 4. The method of claim1, wherein enforcing the one or more behavior limitations on the managedbrowser includes: restricting access to at least one network resource.5. The method of claim 1, wherein enforcing the one or more behaviorlimitations on the managed browser includes: selectively disabling atleast one function of the managed browser based on location informationassociated with the computing device.
 6. The method of claim 1, whereinenforcing the one or more behavior limitations on the managed browserincludes: selectively disabling at least one function of the managedbrowser based on application inventory information associated with thecomputing device.
 7. The method of claim 1, wherein enforcing the one ormore behavior limitations on the managed browser includes: selectivelywiping one or more caches associated with the managed browser based onat least one cache-clearing policy of the one or more mobile devicemanagement policies.
 8. A computing device, comprising: at least oneprocessor; and memory storing computer-readable instructions that, whenexecuted by the at least one processor, cause the computing device to:load a managed browser; apply one or more mobile device managementpolicies to the managed browser, wherein applying the one or more mobiledevice management policies to the managed browser includes providingstate information to one or more policy management servers and receivingmanagement information from the one or more policy management servers;and enforce one or more behavior limitations on the managed browser,wherein at least one policy of the one or more mobile device managementpolicies is configured to control one or more functionalities of thecomputing device, wherein at least one policy of the one or more mobiledevice management policies is received from a policy management server,wherein the managed browser is configured to provide a managed mode inwhich one or more policies are enforced on the managed browser and anunmanaged mode in which the one or more policies are not enforced on themanaged browser, wherein the management information includes at leastone command generated, for execution on the computing device, by the oneor more policy management servers based on the one or more mobile devicemanagement policies and the state information provided to the one ormore policy management servers, and wherein the at least one commandincluded in the management information is configured to cause one ormore functions of the managed browser to be selectively disabled.
 9. Thecomputing device of claim 8, wherein the management information furtherincludes a policy update.
 10. The computing device of claim 8, whereinapplying the one or more mobile device management policies to themanaged browser includes: determining that a first set of policies ofone or more sets of policies is applicable to a user of the managedbrowser based on identity information associated with the user; anddetermining to apply the first set of policies to the managed browser,wherein a first set of policies is applied to the managed browser whenthe user is part of a first group within an enterprise, and a second setof policies different from the first set of policies is applied to themanaged browser when the user is part of a second group within theenterprise.
 11. The computing device of claim 8, wherein enforcing theone or more behavior limitations on the managed browser includes:restricting access to at least one network resource by blocking accessto at least one enterprise resource that is accessible via at least oneprivate network.
 12. The computing device of claim 8, wherein enforcingthe one or more behavior limitations on the managed browser includes:selectively disabling at least one function of the managed browser basedon location information associated with the computing device, wherein atleast one location-based policy of the one or more mobile devicemanagement policies is configured to limit the managed browser's accessto at least one specific enterprise resource based on a location of thecomputing device.
 13. The computing device of claim 8, wherein enforcingthe one or more behavior limitations on the managed browser includes:selectively disabling at least one function of the managed browser basedon application inventory information associated with the computingdevice, wherein at least one policy of the one or more mobile devicemanagement policies is configured to limit the managed browser's accessto at least one specific enterprise resource based on the applicationinventory information indicating that at least one specific applicationis present on the computing device.
 14. The computing device of claim 8,wherein enforcing the one or more behavior limitations on the managedbrowser includes: selectively wiping one or more caches associated withthe managed browser based on at least one cache-clearing policy of theone or more mobile device management policies, wherein selectivelywiping the one or more caches associated with the managed browserincludes deleting managed data included in the one or more caches whilenot deleting unmanaged data included in the one or more caches.
 15. Oneor more non-transitory computer-readable media having instructionsstored thereon that, when executed, cause at least one computing deviceto: load a managed browser; apply one or more mobile device managementpolicies to the managed browser, wherein applying the one or more mobiledevice management policies to the managed browser includes providingstate information to one or more policy management servers and receivingmanagement information from the one or more policy management servers;and enforce one or more behavior limitations on the managed browser,wherein at least one policy of the one or more mobile device managementpolicies is configured to control one or more functionalities of the atleast one computing device, wherein at least one policy of the one ormore mobile device management policies is received from a policymanagement server, wherein the managed browser is configured to providea managed mode in which one or more policies are enforced on the managedbrowser and an unmanaged mode in which the one or more policies are notenforced on the managed browser, wherein the management informationincludes at least one command generated, for execution on the at leastone computing device, by the one or more policy management servers basedon the one or more mobile device management policies and the stateinformation provided to the one or more policy management servers, andwherein the at least one command included in the management informationis configured to cause one or more functions of the managed browser tobe selectively disabled.
 16. (canceled)
 17. (canceled)
 18. The one ormore non-transitory computer-readable media of claim 15, whereinenforcing the one or more behavior limitations on the managed browserincludes: restricting access to at least one network resource.
 19. Theone or more non-transitory computer-readable media of claim 15, whereinenforcing the one or more behavior limitations on the managed browserincludes: selectively disabling at least one function of the managedbrowser based on location information associated with the at least onecomputing device.
 20. The one or more non-transitory computer-readablemedia of claim 15, wherein enforcing the one or more behaviorlimitations on the managed browser includes: selectively disabling atleast one function of the managed browser based on application inventoryinformation associated with the at least one computing device.
 21. Themethod of claim 1, wherein at least one policy of the one or more mobiledevice management policies is configured to be enforced based on thestate information provided to the one or more policy management serversand based on a single sign-on (SSO) credential associated with at leastone user of the computing device, and wherein the SSO credential is anauthentication credential that is configured to be used in accessing atleast two different enterprise resources.
 22. The method of claim 21,wherein at least one policy of the one or more mobile device managementpolicies is obtained from an enterprise application store based on anidentity of a user account associated with the SSO credential.